Slashdot Mirror
UUnet's Case Study, or The Trouble With Spam
Eggplant62 writes: "In the wake of recent reports of spam-friendliness at big ISP's like AT&T and PSInet, [this article] takes a pretty good look at the problems UU.net is having with enforcing their AUP when it comes to unsolicited email. According to the article, it can take "two to
four weeks to shut off a spammer's digital tap." The author of this article solicited news.admin.net-abuse.email for material for the article." Guess it isn't easy even for the big carriers to end the pink-meat congestion.
I have a 24/7 broadband connection with better then 99.9% uptime at home, and I quite enjoy the minor hobby of being able to run my own tinsy little server on it. I have apache and sendmail, ssh login, etc. The notion of a default policy of filtering ports to the end consumer of bandwidth troubles me enormously.
Indeed, this seems to contradict the notion of free and unrestricted end-to-end service, as discussed recently on slashdot. Not to sound horrible here, but we all manage to live with spam pretty well, it's not like it's all that much of a hassle. I just keep a variety of email addresses to give out for different purposes. A few get a good deal of spam, and it's easy to run a script to delete first time messages from users I have never corresponded with from those accounts.
I just worry that, if we were try to really achieve a spam-free utopia, that it might well be at far too great a cost in freedom. I would rather deal with the occasional spam, then have the commercial bandwitdth providers filter my connection. And there is always the worry of false/vindictive reports leading to unfair account termination.
---
man sig
---
the pen is mightier then the sword. the sword is mightier then the court. the court is mightier then the pen.
Okay, apparently noone's heard of this yet, which isn't surprising, but here we go.
:) - you as the email user on that mail server can set up a list of people, as well as a privacy-negotiation policy about receiving email. Those who are on your email pass-thru list can send email directly to you, as normal. Those who are not have to meet your privacy rules before the email goes to you. And/or, you could have it email a message back asking for confirmation before it sends the email to you (thus eliminating the mass majority of spammers - their reply-to addresses are almost always fake).
:)
There IS a cure for spam. A company I used to work for last year came up with some technology based on P3P technology. The idea is you set up an account and get an 'XNS Agent'. XNS is 'eXtensible Name Service'. You get your own 'XNS name' (via OneName.com or some other agency - some are free, some aren't). When you have your OneName, you can set up your XNS Agent to negotiate privacy with whatever online entity understands about XNS.
Here's the spam-killer idea my ex-boss had when we were working on the service: Build XNS into mail servers - the spec is completely open and available at xns.org. Make this like 'Caller ID for e-mail' (my phrase - I'm so proud
So, since the spammers would never take the time to confirm their privacy rules, the emails would never get back to you - and you could have the ability to configure your XNS email agent thingy to either dump those messages that didn't get authroized, or hold them for review, or whatever.
You would, of course, have to take a little more time in setting up your mail account on such an XNS-enabled mail server - set up the email address of those people and mailing lists you're on, so they don't get trashed, or bounce messages back into lists, etc. Small price to pay to actually destroy the entire spam industry, though, I'd think.
The neat thing is - all the specs are open - anyone can add it into their open source mail servers - it's encouraged! It also would mean that people wouldn't have to use special mail clients to use it - it's all server-side, hopefully with a web-based interface to configure your agent.
Pretty slick. Available, open source. Free personal 'OneNames' are available, etc. The OneName people _really_ know and understand privacy - I used to work there, I should know.
It's been frustrating receiving all the spam I have been recently, knowing there's a solution to spam out there, and noone is using it. *sigh*
=Tumbleweed (that's my OneName
I have worked in the security department of a major ISP for quite some time. The response time is not the issue. We could shut down a spammer within 15 minutes of recieving the first complaint. The problem is with fake accounts. A spammer will use stolen credit cards and do online signups with these, set up a mailserver on their computer and spam away the first time they log on and continue until we get the the NMC to kill their connection. By the time we have tracked down their account and have all the paperwork done, (which is just a few minutes) they already have another account waiting, and use a different VPOP, so as not to be totally obvious. The residual damage is having our domain banned, and then trying to contact the other ISPs to clear that ban. This can some times take days. A severe pain in the ass. If they use our mail servers, we can put a maximum sender limit, and that stops them a bit. They then usually migrate to another national ISP with higher limits. Sometimes they use open relays in other countries... but the source ip is from our domain, so we have to shut down the account, then contact the foreign admin of the open relay... and again that can take days, plus several interpreters......etc....etc.
/V\4>....
So response time is not always the main issue.
..remember kids hormel is the devil
/V\4|}
...have to be two of the least productive (and most annoying) forms of advertising. When you think about it, pretty much every other form of advertising has at least a little targeting that goes along with it. Billboards target people who are in the area of the business advertising. Television and radio ads target the general demographic that watches/listens to that show. Banner ads (as annoying as they are), at least know a little about the typical person that is looking at them. Despite claims of spammers to have "targeted" lists of email addresses, there is very little that they can know about those email addresses...same with telemarketers and phone numbers.
:)
One solution advertisers are using more and more as people become immune to typical methods is product placement. TV show, movies, etc., are now filled with "products" in use or on the set. Of course, the stuff spammers are selling is a little harder to use with this method...I can see it now: "Quick, get the guns, we're gonna have to...wait a minute...I don't have to do this...I've made millions...(to viewer)...you too can get rich quick with my new scheme to..."
lol. Never mind
www.code-fix.com
We do not object to use of [SPAM] to describe [unsolicited commercial e-mail], although we do object to the use of our product image in association with that term. Also, if the term is to be used, it should be used in all lower-case letters to distinguish it from our trademark SPAM, which should be used with all uppercase letters.
(emphasis mine)
it seems that Slashdot ought to have a new spam icon. See http://www.spam.com for more info.
---
Santa Claus: "Ho ho ho!"
NO CARRIER
Ok from reading the links it seems that there should be 2 things uunet could do very easily to get out of this spam problem
Background:
1: The port 25 block. This is mentioned in the article. In a perfect world, a user should only be able to send to their local mail server. Ie: When a user sets up their new ISP, they have to enter the name of their SMTP and their POP server.
With that being said, it should be logical that UU.net should set up their router filters to only accept traffic going to port 25 on their mail servers. Traffic going to port 25 anywhere else should get blocked. If you have a local UU.net account you should use the uu.net mail server.
Now what about road-warriors? the sales people out in the field who need to send mail?
2 things:
1: They probably vpn in, so that does not even matter. otherwise:
2: If you allow any uu.net address to relay via your mail servers, you have a hosed situation.
2: The second option would be for UU.net to provide the IP ranges for its DIAL Up pool to the DUL project run by MAPS.
This project takes Dial up ranges, and blackholes them from connecting to your network. They too follow the idea that you should only connect via your dedicated mail server.
Now the bonus of step 1, is that all of the mail going out of your network goes through mail servers you control, you can do certain checking,
like anyone who is sending mail to 500 BCC'd recipients (multiple RCPT), or if they are using multiple RSET commands to send out the same message but with different subjects, should get rate limited/checked.
Or you can put additional IP information in the message envelope, so that they can be detected easier.
The win with the DUL, is it lets the rest of the net be able to only accept mail from uu.nets mail servers, and takes the cpu overhead of additional filtering off of their routers.
-- C
The idea of creating a real-info blacklist has been bounced around a few times and generally rejected as legally infeasable (would generate too many lawsuits), but still, I keep wishing that as long as ISPs are using AUPs that are incredibly restrictive on users they might as well go all the way and put in a clause stating that by joining the service, you agree that if you are terminated for abuse, the reason for termination and any personal information submitted for the purpose of gaining access may be distributed to all other ISPs that are interested in making account acceptance decisions based upon that information. Maybe give it a 3 or 7 year expiration, kind of like bad credit. Access to a list like this might give even slow ISPs a chance to keep ahead of the problem by preventing it from becoming an issue.
But enough dreaming. For now, we have to make do with whatever technical solutions are available, whether they be RBL-like general blacklists or personal filters. At least those with skill tend not to be spammed much.
The second issue brought up by the article (albeit somewhat indirectly) is the gradual blockage of direct access to mail to dial-up users, either by blocking SMTP at the router level, or by using the MAPS DUL. Despite having great sympathies for the desire to relieve the general frustration caused by spammers with disposable accounts by simply removing one major source of those accounts from the picture, it unfairly places the communication ability of anyone not rich enough for static IPs at the mercy of the frequently abysmal performance of the mail server of their ISP (@Home, for instance, has mail servers that go down on a regular basis, and despite repeated claims to the contrary has been losing a rather disturbing amount of e-mail altogether) -- whether or not that ISP is having any more difficulty controlling its dialup/dynamic-ip users than it is its users with static addresses. Granted, a number of ISPs are filtering at the router or submitting their dialup addresses directly to the DUL themselves, but I have yet to see one of them disclose in their advertisements that they provide a crippled internet connection.
So in summary, what we still need to control this problem ourselves is a better way of publicizing the e-mail distribution points that take a long time to deal with spammers, and a better way of identifying only those dynamic address ranges belonging to ISPs that are either incapable of dealing with their dynamic-IP userbase or have given up on it completely -- and then a centralized location to check up on ISPs with broken services ahead of time, sort of like a Better Business Bureau for the internet.
How to do it? I have no idea. Here's to hoping someone else does.
Well, I figure since I've had to deal it with almost 100% of my career, I may as well toss out my $0.02USD.
/. readers claim, say, swear, or demand it is. First off, you have several types of spammers.
Spam isn't as easy to stop as most of the 'tech savvy'
First off is your atypical newbie moron spammer, who gladly gives you all his correct information, gets online, and fires away, gets disconnected immediately, gets blacklisted.
Next you have the more technical spammer, who has an array of fake credit card numbers, false names, false addresses, and so on. He'll setup six or seven accounts on one ISP, usually something like AOL or UUnet, and bounce around with these accounts, spamming. On and off before they can catch him in the middle of it.
Third, you have the guy with a pile of lawyers working for him, that's going to negotiate and hardball his way into a contract with an ISP that lets him spam.
The only remaining spam-friendly ISP was AGIS. Why 'was'? That policy was changed due to something like 60%+ of their customers cancelling after the announcement. Remember Spamford Wallace? He was the guy they hooked up first, and he was the guy that lost them a lot of business. Companies blocked AGIS - my employer at the time filtered all of AGIS' netblocks immediately, to prevent incoming spam. Some providers, ie; PSInet, have negotiated contracts with 'big name' (aka LOTS of spam) firms that allow them to spam to their heart's content.
Now, you've got a spammer. We'll say your typical type 2. And you want to shut him down. Not that easy. Because you do NOT have a common factor, including where they're dialing in from, they can CONTINUE to abuse your service, and there's not much at ALL you can do about it till they slip up somehow, which most sales droids are NOT going to be aware of. They'll just keep bouncing around and evading. And if the ISP gets blackholed or filtered all over, they'll just jump ISPs entirely. These are the pricks that cause the most damage to ISPs. They usually also use the ISP's SMTP server - best thing you can do is to disconnect them the second you see it, and pray they don't have more accounts. I've had to deal with a couple of these in the past, and we had one guy sign up for *SIXTY* accounts in *ONE DAY*, all with different information. When we FINALLY figured out who it was, we were ONLY able to kill the accounts because we had relatively few (around 2,000) and knew when they were added.
Now, say you have someone who bought a leased line and ordered it up deliberately for spam. You can't prove it beforehand, and some of the software out there makes it incredibly hard to find the true source. You have to catch them in the act most of the time. And the best you can HOPE to do is to do a shut on their interface. That's assuming you don't have a legal department that you MUST consult before disconnecting a customer for a contract violation (ie; spamming) and who MUST sign off on the disconnect order - I had to deal with this before. In some of the larger shops, ie; UUnet, AOL, etcetera, you have to go to your legal group and get them to sign off on a disconnect, then you have to go to your engineering department, who may or may not have to schedule it as a change management, who may or may not have to get their managers to write off on it, who may or may not have to go further up the chain. In other words, typical corporate bull will typically tie up a spam disconnect for over a week. It's the cold reality. If you disconnect a customer who WASN'T spamming, they can and likely WILL nail you for breach of contract on a leased line, and that could cost your company MILLIONS. Legal wants proof, engineering wants time and to be left alone, management just wants the mess out of their hair. Plus the overworked abuse departments do not help, as most complaints go there. Where I worked, we had a two person abuse department, who typically had a three week turnaround on initial reply.
You have to take all these kind of things into account. I'm certainly not saying UUnet is doing a great job - they aren't - but they're doing the best they can. I'm not personally aware of any contracts UUnet has negotiated permitting spam, and they usually *do* disconnect a customer for spamming. Other providers are far worse. You can whine, scream, complain, and moan all you want, but spam is not going to go away overnight, and policies at these places don't get changed overnight, if at all. UUnet has their policies, as do most other providers, and the tech that ignores them and just unplugs that spammer is going to find himself out of work almost immediately.
A lot of the posters definitely need a good dose of reality, because this is how it is. It's not just unplug the guy. Maybe the Mom & Pop ISPs have that luxury with dialups, but the other ones? Not a chance. So you're just going to have to live with it. Build your own filter lists, update them, etcetera, and quit whining about these companies being unable to stop it immediatley. You want it fixed? You go get a job in management and fix it yourself. No amount of your screaming is going to change a thing.
=RISCy Business, who doesn't give a damn what you think.
your company here.
your company here.
shelby != ford
If a major ISP wants to allow a spammer to operate, then the way they should do it is to require it be done from a dedicated circuit, and to prohibit relaying through any mail server not listed in the DNS for the destination address. Such an operation is very easy to block on the receiving end. In addition to RBL/DUL/RSS, I also have my own DNS zone to block my own set of IP addresses.
My point of view on this is that if someone actually wants to be a part of this and get spam, they should be allowed to do so. Likewise, someone who does not should not have to. I'm not opposed to an ISP that wants to allow spammers to send bulk email in a legitimate (e.g. identifiable, easy to block) way. Anything less is, IMHO, fraud (and if the ISP knows it's going on, is a party to the fraud, also IMHO).
What I want to know is if Nace and SyberSchool are sending their email direct (doing normal DNS MX lookups and sending to the designated host) or if they are doing relaying through innocent third party mail servers. If it is the latter case, then I think they should be cut off. If the former, then I have no problem with it because I can block them myself very easily (your ISP can, too, if they want to).
now we need to go OSS in diesel cars
> Is SPAMing even getting through anymore?
8 1-318280,00.html]
I've only had a ``gut-feeling" answer to your question until I stumbled across the following about six months ago. It is the only fact I have seen about this anywhere. (Yes, the writer is from AOL. But I am still amazed at a response rate far above the typical 3-5% for junk mail.)
Until I read it, I always thought the way people made money from spam in this manner: spammers found marks, promised them alot of money if they let them advertise for them on the Interent, sent out the spam, & made off with the money while the mark took the fall. If this email is any indication, a spammer may actually get useful leads & make somem sales from engaging in this obnoxious activity!
Geoff
[from http://www.zdnet.com/tlkbck/comment/82/0,9586,821
Name: Patti Illingworth
Email: plifrog@aol.com
Location: Reno, NV
Occupation: Secretary
I am a small business and use the computer on an individual level. We are not
network but we have the same problems. I also use the internet for personal
things, such as just enjoying it. I get quite a few commercial spams and LOADS
of the porn crap, which I am not interested in. I am with AOL and they have an
email address that I just forward the junk to. I have never gone so far as to
CLICK on one of their hyperlinks and don't intend to. The biggest bother is just
spending the time forwarding and deleting it. Someone did get into my computer
once with a Trojan Horse program and somehow got my password and sent a lot
of this trash out in my name. I was temporarily kicked off of AOL and had to
spend a lot of time just getting rid of the stuff. Overnite, I had 450 messages from
people responding to whatever it said (I never did see the original letter) about
80% were very angry and called me every name imaginable. The other 20%
were responding positively and wanted more information. What a mess that was.
I am aware that it is going to be a difficult thing to stop. We just all need to not let
it bother us and keep on living. I have gotten over being frustrated by it and just
know that some of my time each day will be spent getting these jerks off of my
machine.
Thanks for letting me vent.
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
PSI had taken (and deserved) a ton of flak in the past because of their crumby handling of UCE and abuse complaints. Fortunately, I think that the pressure of MAPS and others is finally forcing some changes at the companies.
Last week, I had a problem with a PSI customer with a stuck browser who was (accidentally) hammering our shopping cart script. I called up the number listed in the WHOIS record for PSI.net. A few simple keypresses and maybe 20 seconds later, I was connected with the abuse department. I was speaking to a real, live person! The representative was friendly and understanding and willing to take immediate action against the abuse. She requested that I send logs to abuse@psi.net and while I still had her on the phone, I was to wait for a trouble ticket number. A few seconds later, I gave her my trouble ticket number and she took action while I was still on the phone with her. Amazing.
I used to work for a large cable modem ISP and our "Abuse" department at the time was one lady and an always-full voicemail system and mail queue. Keep up the good work, UCE crusaders. It's finally paying off.
Here's a page from spamcop.net (a spam-reporting and filtering service which I highly recommend) that people might find interesting: http://spamcop.net/stats/biggest_source.html.
This is the list of top sources of spam as reported through their service - #1 is UU.net with 43811 reports. #2, a distant second, is sympatico.ca with 3168. Draw your own conclusions.
Prevention is better than cure, in this case.
This seems like an area where a faster, tougher response to spam would greatly reduce their problems with it. If UUnet were to have a working group that spanned the legal, sales and abuse departments that pretty much responded to spam within 12 hours (or some similar short time) and expedited dealing with it, sure, that would cost them a lot more money.
On the other hand, they'd ultimately have less work to do; how many spammers would use the service if they knew that they'd get about 24 hours of use.
A further twist would be placing some sort of brake on large amounts of outgoing mail - perhaps every 10 complaints received reduces the # of messages per hour by 10% that UUnet will handle from these people (or further, artificially choking off the bandwidth of outgoing packets that are directed at port 25 - although that might be infeasible technically). If it turns out the complaints are not well-founded, then the brake could be removed.
Of course, if the ISPs are colluding with the spammers, there's not a whole lot one can do.
My solution to spam on my school account was simply telling friends that I won't accept any email from msn.com and then filter out the whole domain. So far this has worked wonders. Now I know why I have received so much mail originating from msn.com - I read in the linked article that msn is a UUnet partner and that it lacks port 25 filtering. I wish I didn't have to filter out a whole origin domain. I would just ditch the account, but my school refuses to send school-related email to another account.
However the BEST way to go spam-free is to buy oneself a domain that has never been bought before. I have unlimited POP3 (within the space limits that my hoster provides) for myself a few of my friends. I have been spam free on my domain email for just over 2 years now. Not one single one. It's worth the price of email hosting. Just make sure no one has ever had the domain before and let it go back up for sale. Another of my domains have spam associated with certain email addresses. Careless past owners and users! It was funny though seeing the "kmoore" that previously had an email account has subscribed to various porn sites.
---
---
I'm just an ordinary man with nothing to lose.
Q) What is the only way to effectively have a spam-free account?
A) Change your account frequently.
Yes, you could NEVER give it out, but then you might never know what silly shmuck friend of yours will forward an email you sent to a guy who sends out joke lists that are read by another guy who posts the list, email and all, on his website.
OR, you could be really creative and only make your listed reply-to addresses contain those witty NOSPAM.blah.com lines, which sooner or later (if not already) will simply be encoded by a spam collection bot to bypass in search of more legitimate addresses to collect and sell.
Q)What's the solution then?
A) Pick an account. Aol, yahoo, whatever. Start replying to spams. Act interested. Act like some idiot fool with cash to burn. Sure, you'll get added to even more lists, but odds are that the original spammer will REPLY TO YOU to get more information.
And what do we now have? THE SPAMMER'S ADDRESS.
Maybe it's not his personal account. But it sure as heck is one he cares about. He checks it for his business. It is very critical for him to have a business account to contact his clients (cough-easymarks-cough).
So now what do we do? Submit it to some grassroots organization that stores the address. They'll register a few hundred random accounts at legitmate locations (we don't want to spam him back with false addresses like he did, now do we?) and send him oh, 400 emails with varying lengths and varying titles and varying names EVERY DAY. He won't be able to sort out who is who and will waste a bulk of his time trying to find 1 or 2 legitmate buyers.
Thus the loop is complete. They waste our time, we waste theirs. Sooner or later, 95% of them will deem the practice to be more trouble than it is worth. It's not perfect, and sure there are a few holes in the idea, but how does it sound as a start?
------
Let me give you the lowdown
Maybe it's me but this paragraph sums it up nicely. UUNet spends (approx) half a billion dollars a year on network upgrades (5*52*2mil) and passes on these costs to ISPs that need the bandwidth to handle the onslaught of spam email coming down the pipe from companies that UUNet negotiates "pink contracts" with - all the while spending 10 million a year on spam cops to screw over the rest.
Nice.
Please stop APK.. you're only hurting yourself.