Spam Slows AT&T Email

jonerik writes: "MSNBC has this article about AT&T's frustration with the increasing quantity and sophistication of spam traffic. As has been noted here already, much of it these days is originating from Asia and, according to the article, 'now represents 20 percent of all e-mail floating around the Internet.'"

Just 20%?

[clambert]

Ha! Not if you post on Slashdot...

Re:Just 20%?

That would depend on how much other mail you get. If like me you're subscribed to various mailing lists, spam because but a small fraction of your mail (and I get the mailing lists on digest!).

Spam from Asia?

[amorangi]

Most of it originates in the USA! And you don't know how annoying it is getting spam for USA paraphenalia, gas masks etc when you are not USian!

Re:Spam from Asia?

[Khalid]

I am in Europe and 99,99% percent of the SPAM I get is from US !

Re:Spam from Asia?

[Teun]

I'm afraid I have to agree, it might have been sent from / through asian servers but the products advertised are near exclusively American. And for the largest part useless and/or unobtainable here in Europe.

What the rest of the world needs is legislation (not only!) in the US against those trying to sell via this irritating system.

Re:Spam from Asia?

[Detritus]

Most of my spam comes from Asia, and it is in Chinese, Korean and occasionally Cyrillic. The majority of it originates in Asia. I've had my cow-orkers translate some of it for me. I don't know why I get the stuff, as I don't speak any Asian languages.

Re:Spam from Asia?

[ecc0]

Are you saying they're not useless and/or unobtainable in the US?

Re:Spam from Asia?

[SkewlD00d]

The DMA is hard at work, mail-bombing the world.

Can we classify spammers as terrorists? How about the Church of $cientology?

email for the DMA: mailto:wboell@dma.net sign them up for some porn ads. =P

Re:Spam from Asia?

[Eggplant62]

They blame it on Asia due to the high number of open relays and unsecured (socks|http) proxies that spammers have found in that area. I personally have quite lengthy .procmailrc and iptables files that include huge chunks of China, Taiwan, Japan, Korea, the Netherlands, France, Costa Rica, Argentina *and* the US, because these areas are either too ignorant to run a mailserver properly (as evidenced by the huge number of ancient sendmail configs; I'd imagine they're having a terrible time grokkin' the sendmail docs).

Add to that the number of purely malicious individuals taking their spammy little affairs to servers outside the US to keep bulletproof status, and of course they're going to blame Asia!

He who does nothing to aid us is our enemy, or I think President Shrub said something like that.

Re:Spam from Asia?

[Arker]

Just goes to show the level of technical (in)comprehension among suits and reporters. Both groups seem to have a difficult time using simple words like "originate" properly.

Most of the spam I get comes *via* asia (with a rising amount coming from Spain and Portugal lately too) because there are a lot of abusable relays in those areas. But the actual *origin* for most of it seems to be some guy with a cable modem in Arizona.

Oh, btw, it's just as annoying getting spam for it when you are here in the USA, spam is just annoying period. The most annoying spam I think is when it's for something I might actually be interested in - because there is no way I'd buy ANYTHING that's spamvertised, so a spammer could actually cause me not to get something I want. That's pretty rare though. I think the last time that happened was probably when I got spammed by a BeOS distributor a year or more back.

Re:Spam from Asia?

I don't know why I get the stuff, as I don't speak any Asian languages.

Friend, are you having trouble reading your mail? Did you know that Chinese is spoken by over 1.3 billion people?! Take our quick and easy class today! Just call 800-555-1212 and start learning Chinese, Korean or other Asian languages.

This post is not spam! You received this because you joined the opt-in Slashdot and agreed to receive from other list members. This message is sent in compliance of the proposed bill SECTION 301, paragraph (a)(2)(C) of S. 1618. If you wish to be removed please click on the remove link below - Thank you again for giving permission for us to send you offers we believe will help you succeed. Click here if you no longer want to receive gifts or special offers: http://www.sendmemorespam.com

498731497

Re:Spam from Asia?

[Grax]

You don't want to buy from a spammer no matter where you live. They use dirty tactics to send their spam and you know they will cheat you out of your money at the first opportunity.

So don't stress out about not being able to buy the products. Be glad.

It is already illegal to sell using fraud. The problem is trying to track down and prosecute every spammer.

Re:Spam from Asia?

> Can we classify spammers as terrorists? How about the Church of $cientology?

Spammers have been known to relay through .mil sites. I hope DoD comes down hard on 'em.

As for a certain UFO cult, they only reasion they're tax-exempt is because they conducted a DDOS attack on the IRS - cult leaders had cult members individually file lawsuits against the IRS. The IRS threw up its hands and said "fine, you're a religion".

But now that we're on the subject...

"People who hijack a religion and make out of it an implement of war will not be free from our interest".

- John Ashcroft

We then borrow a quotation from a certain UFO cult.

"Any Sea Org member contacting any of them is to use Auditing Process R2-45."

- L. Ron Hubbard, HCO Ethics Order

Seeing as how R2-45 appears to a $cieno code word for assassination ("Rounds, two, .45-caliber"), I don't see why not.

You listening, DOJ? There's a multibillion-dollar UFO cult out there whose stated objective is to "clear the planet". Citizens who don't go along with the program are to be "disposed of, quietly and without sorrow". The reason they're a multibillion-dollar nut cult as opposed to a bunch of whackjobs in a trailer park is because they have tax-exempt status as a religion. The reason they have tax-exempt status as a religion is because of a distributed-denial-of-service attack they conducted on the legal system.

Perhaps now that our President isn't as reliant on campaign donors in $cieno-influenced Hollywood, something can be done about this unacceptable state of affairs.

Re:Spam from Asia?

[netsharc]

MSNBC quoted "Bill Campbell, who operates Internet service provider Celestial Software near Seattle". Makes me wonder if this guy didn't read Slashdot and then mentioned about the Asian relay servers to MSNBC himself.

But moronic computer users-turned-admins are out there in force, not just in Asia. Add the language barrier to it and you got bigger morons. I for one agree about banning Asian servers until they figure out what they have to do, although I doubt my primary email provider, Yahoo, would ever do that.

Re:Spam from Asia?

[jazman_777]

But the actual *origin* for most of it seems to be some guy with a cable modem in Arizona.

If this is true, can we take up a collection and pay someone in Arizona to rent a backhoe? And dig up this guy's cable and phone lines?

Re:Spam from Asia?

Poor little Asian, maybe if you would grow up and put down your chopsticks, you might figure out why USians enjoy abusing your open relays so much. You asians seem to be so smart yet are unable to configure a simple computer correctly! Maybe you have something to learn from USians.

BTW what is the right term for a person from Hong Kong? Hong Kongian? Kongian? Kongianese HKer? HKian? HKianese? Hong Kongese? Hongian? Hongianese? Honger? Konger? British? USians want to know!!!

Re:Spam from Asia?

[Steve+B]

But the actual *origin* for most of it seems to be some guy with a cable modem in Arizona.
If this is true, can we take up a collection and pay someone in Arizona to rent a backhoe?

No, no, no -- a woodchipper. Didn't you see Fargo ?

Re:Spam from Asia?

[smnolde]

Gee, if only AT&T would shut their OWN OPEN RELAYS!!

Here's a header of one such email that gets through their open relay:
Received: from lo (61-216-36-158.HINET-IP.hinet.net [61.216.36.158])
by chmls21.cp.ipsvc.net (8.11.6/8.11.6) with SMTP id g1ENgSp04151;
Thu, 14 Feb 2002 18:42:30 -0500 (EST)
Date: Thu, 14 Feb 2002 18:42:30 -0500 (EST)
Received: from yahoo
by yahoo.com with SMTP id jKPDvKWyIdxNwan;
Fri, 15 Feb 2002 07:37:42 +0800
Message-ID:
From: mark@sayhi.com.tw
To: 0125ok.txt@chmls21.cp.ipsvc.net, 0102ok.txt@chmls21.cp.ipsvc.net, 0103ok.txt@chmls21.cp.ipsvc.net, 0104ok.txt@chmls21.cp.ipsvc.net,
0105ok.txt@chmls 21.cp.ipsvc.net, 0106ok.txt@chmls21.cp.ipsvc.net,
0107ok.txt@chmls 21.cp.ipsvc.net, 0108ok.txt@chmls21.cp.ipsvc.net,
0109ok.txt@chmls 21.cp.ipsvc.net, 0110ok.txt@chmls21.cp.ipsvc.net,
0111ok.txt@chmls 21.cp.ipsvc.net, 0112ok.txt@chmls21.cp.ipsvc.net,
0113ok.txt@chmls 21.cp.ipsvc.net, 0114ok.txt@chmls21.cp.ipsvc.net,
0115ok.txt@chmls 21.cp.ipsvc.net, 0116ok.txt@chmls21.cp.ipsvc.net,
0117ok.txt@chmls 21.cp.ipsvc.net, 0118ok.txt@chmls21.cp.ipsvc.net,
0119ok.txt@chmls 21.cp.ipsvc.net, 0122¼Özéok.txt@chmls21.cp.ipsvc.net,
0101ok.txt@c hmls21.cp.ipsvc.net

Now, thankfully I use spamassassin and I can modify the filter, but AT&T better work on their own mail servers, too.

Re:Spam from Asia?

[seebs]

Actually, no, most of the spam these days comes from Asia. The Korean school system is so amazingly wide open as to be painful. There's a guy I know who gets well over ten million spams a day from "btamail.net.cn". China, Korea, and Taiwan produce an amazing quantity of spam. Some of that may actually be U.S. spammers attacking open relays, but the fact is, blocking the hosts in Asia blocks a hell of a lot more spam than blocking all the spam sources in the U.S..

Re:Spam from Asia?

[_ph1ux_]

you're just jelous because in the US we have pills that can make your penis grow an inch a month GARAUNTEED!!! ACT NOW!
.

Re:Spam from Asia?

[gordon_schumway]

Gee, if only AT&T would shut their OWN OPEN RELAYS!!

Here's a header of one such email that gets through their open relay:
Received: from lo (61-216-36-158.HINET-IP.hinet.net [61.216.36.158]) by chmls21.cp.ipsvc.net (8.11.6/8.11.6) with SMTP id g1ENgSp04151; Thu, 14 Feb 2002 18:42:30 -0500 (EST)
Date: Thu, 14 Feb 2002 18:42:30 -0500 (EST) Received: from yahoo by yahoo.com with SMTP id jKPDvKWyIdxNwan; Fri, 15 Feb 2002 07:37:42 +0800

Where's AT&T's open relay? That looks like it came from hinet.net, which seems to be in Taiwan. Where's the AT&T connection?

Re:Spam from Asia?

[smnolde]

chmls21.cp.ipsvc.net is an AT&T relay which accepted an email by a host which misidentified itself as coming from yahoo. I get tons of these a week and each email is unreadable.

However, I hope i am translating the above properly, but I'm glad I have a spamassassin rule to flag ALL email from hinet.net and seed.net as spam which goes directly to my catchall folder for spam.

Even if the above relay wasn't AT&T's own relay, then AT&T should express some pressure on ipsvc.net and get that relay secured where header spoofing is not allowed.

Re:Spam from Asia?

[gordon_schumway]

So your mailserver is not owned by AT&T, in which case there should be another line above that one? That's what confused me.

Re:Spam from Asia?

[ThatComputerGuy]

And you also use that foolish , in your numbers.

Re:Spam from Asia?

No, it's just that our penises are not small like Americans so we have no use for penis enlarging pills!

Re:Spam from Asia?

[Henk+Poley]

I once had some spam, but since I have installed a "*@aol.com" spam-filter it has been quite quiet...

Shoot spammers

Or even better: Outlaw them, so we can shoot them.

Spam and SCAT

Boy I hate those asians

OMG!

OMG! AT&T want to outlaw spam! They want to take away my right to free speech! They are just as bad as Europe! OMG!

War on Spam

[October_30th]

Spammers are mostly American, but they hijack Asian mail-relays that have been left open.

The War on Spam must be fought on several fronts, not just one. These evildoers can be defeated by striking them in American courts and fixing the open-relay problem in Asia.

Re:War on Spam

[dbarclay10]

You know, I actually see that most spam I receive(easily 90% of ~2 dozen spams every 24 hours) is from Asian servers. Why? They're Asian-language.

Are you telling me that those spams actually originate in the West?

Riiiiiight. Move along folks, nothing to see here.

Speaking as a Libertarian

This is a great example of the Free Market at work! Businesses want their product to be known and Asians advertise! Go Free Market, boo AT&T!

Vote Libertarian.

huh

[Goofy+Gavin]

from the people who brought you gunpowder...

Adam

Not a problem

[MiTEG]

I don't think this would be a problem if people weren't idiots with their email addresses. If you don't want spam, stop signing up for all the "punch the monkey" banner ads you see! I use ATTBI, and I have never received a SINGLE piece of spam with my ATTBI email account. I suspect ATTBI uses the same filtering service as Worldnet, and I'd have to say it works quite well. The spam problem maybe is due to idiot users, but it's also possible that ATT made the foolish decision to sell the customer email database to spammers and now are forced to deal with the consequences.

I have an excite email address that nicely filters out all the spam the address collects. Excite email did have some problems earlier this year (i.e. change of ownership, hardware failure, etc.) but now it seems to be working great. So maybe ATT should switch over to whatever they're doing?

Re:Not a problem

[CaptainZapp]

I don't think this would be a problem if people weren't idiots with their email addresses. If you don't want spam, stop signing up for all the "punch the monkey" banner ads you see!

Well, bub: Apologies, but in my humble opinion you're a pretty arrogant prick.

So, everybody owning an own domain is an idiot? Pretty much a pre-requisite when you own and run a database consultancy. Or do you recommend to set up some "clever" javascript games, in order to be contacted? Or do you recommend not being in the whois database when you own a domain? Pretty much impossible, eh? Or do you recommend not having an e-mail address at all? Looks a bit stupid as a tech company.

No need to thank me for some free enlightenment.

Re:Not a problem

Hate to burst your bubble, but I have an e-mail address that is never posted anywhere that still gets 7 or more spam mails a day. Spammers out there are perfectly happy to scan e-mail servers for addresses. Most of the ones I get include a huge CC list of other e-mail addresses on the server.

And I know this address has never been given out, because I own a domain, which is where all my real e-mail accounts sit. This one just came with my ISP account, so I only check it for ISP announcements.

Re:Not a problem

Set my wife up with an email address with our dsl provider swbell.net. Sent one message from her account to my work account. Spam started flowing immediately. We didn't do anything idiotic, except maybe use swbell.net

The address wasn't sniffed at the work end -- a tier-one ISP definitely not involved in address harvesting. Entirely unlikely it was sniffed on the backbone itself. That leaves swbell.net as a prime suspect in selling email addresses of their subscribers. At best, their infrastructure allows others to harvest the traffic, and that's hardly excusable, either.

Re:Not a problem

[fmaxwell]

I don't think this would be a problem if people weren't idiots with their email addresses.

Do you mean people who do "idiotic" things like having a mailto link on their web page, posting a question on Usenet or a forum with their e-mail address there for responses, or not giving a false e-mail address when they register their software?

Talk about blaming the victim! So, in real life, are you a lawyer for rapists?

Re:Not a problem

[erroneus]

I beg to differ with you on many points:

FIRST! Filtering at the receiving end is not the answer... at least not the whole answer and doesn't address all the other problems. The filter does not prevent the use of bandwidth!! It merely prevents the packets from being processed beyond initial reception and inspection. So the badthwidth is still being eaten.

SECOND! As another reader/writer has commented, in order to own an internet domain, a valid email address MUST be supplied. This is completely unavoidable. And simply being 'vulnerable' is not an excuse or justification for someone else to unfairly exploit your resources!!!

I also use ATTBI but I don't use the email service they provide. I guess it means I don't get the updates, bulletins and other information but asside from having essential connectivity, I get my services from elsewhere. I'm very happy with that arrangement.

Re:Not a problem

I have an attbi account. It came with my cable modem service. I have /never/ used this email account. I didn't even know what the email address was. For the first time in two years I retrieved mail from it yesterday to see if anything was there. Guess what I had?

Re:Not a problem

[martissimo]

SECOND! As another reader/writer has commented, in order to own an internet domain, a valid email address MUST be supplied. This is completely unavoidable. And simply being 'vulnerable' is not an excuse or justification for someone else to unfairly exploit your resources!!!

ahh but thats what Hotmail is for, any time i sign up for anything over the Internet i use a Hotmail account...every time i goto that account to recieve a confirmation e-mail its so full of spam it's almost funny. I only ever give my real e-mail that i actually check to close friends and it has never gotten 1 piece of spam.

If you gotta sign up for something you feel will possibly result in spam, why not have MS foot the bill for the bandwidth? ;)

Re:Not a problem

[Com2Kid]

I am sorry, but for THREE YEARS I did not get but three pieces of spam in my ATTBI (up until recently @Home) Mailbox.

How?

Well, my address WAS posted at a few places.

But they were all trusted locations.

Let me ask you some questions.

Have you ever used e-bay?

Any other online retailer?

How much do you trust this (these) online retailer(s)?

Have any of those retailers gone out of business since you gave them your e-mail address by any chance?

Does anybody else who DOES have your e-mail address have a habit of doing stupid ass shit? (such as, say, running outlook. . . .)

Does your browser know your real e-mail address? (IIRC, it is simple to grab a persons e-mail from their browser).

Have you used anon FTPs and actually submitted your REAL e-mail address to them? (doh!)

Do you read over ALL licencing terms that you agree to on sites that may even possibly have your e-mail address?

And their privacy policies?

And compared the two side by side to look for any loop holes that the company may be able to use?

Do you use separate e-mail addresses for different tasks? If so, how segregated do you keep these different addresses?

In other words, 'idiotic things' pretty much means ANYTHING that is not fully Tin Foil Hat Paranoia Compliant.

Re:Not a problem

[fmaxwell]

My point is that people should be able to post their address anywhere and not get spam. It's idiotic that you have to be "fully Tin Foil Hat Paranoia Compliant" and a cyber-hermit in order to avoid spam.

Putting a link to your e-mail address on your web page isn't "idiotic." It's done as a courtesy and convenience to both you and your readers. Making it easy for someone to e-mail you an answer when you ask for help in a public forum isn't stupid. It's polite and it makes it more likely that you'll get a response. Making your e-mail address visible and convenient when you are selling something is reasonable, not idiotic.

I simply disagree with your premise that anyone who chooses to use their e-mail the way that they want to is an "idiot." I think it's sad that spammers have been able to inconvenience you, me, and so many others on the net.

God help any spammer I ever meet in person...

Re:Not a problem

I use attbi.com as well. The only spam I get is from AT&T itself. It's usually a godawful html email with tons of graphics, disguised as a "newsletter".

Dumb bastards. I repeatedly told them I didn't want to receive that crap. They would stop for a while, and my emailed bill would stop arriving too.

I couldn't use the opt-out function, because it required that I visit their web site. Half the time, the web site was inaccessible. When it was up, the dang opt-out page took 20 minutes to load because of all the animated graphics and flash garbage.

Received another one last week. At least the link provided was to a page without all of that crap, this time.

When will isps and other companies figure out that "newsletters" and other spam not only lose customer goodwill, but actually create badwill? It's tough enough for companies to generate goodwill now. They seem to be out to eliminate what little trust their customers have for them now.

Re:Not a problem

[Com2Kid]

Use two e-mail addresses.

One that has lots of filters put on it (filtering out "Penis enlargement" "MLM" and "100% legal" should cut your spam at least in half ^_^ ) and another one for private exchanges that you use personally.

Yes it is a pain, but then again until recently (and some would say still), similar procedures are needed to keep away from telemarketers too. Hell look how long it took to get some legal recourse in THAT arena!

Yes, agreed. Spammers _ARE_ right up there with the scum of the earth, but this is a capitalistic society that we live in, and as such if there is an idiotic plan that promises to make money fast, then we are going to have to deal with idiots trying to follow that plan.

Hell I am just grateful that I have only ever had one vacuum cleaner salesmen come to my door. :)

20%???

Well if 20% is hurting their network, I'd say they'd better do something about improving their infrastructure.

Re:20%???

[BattleTroll]

Yes, like putting in a filter to dump all spam to /dev/null. That'd provide a 20% improvement!

duh, challenge response!

[tomstdenis]

Steps in curing email spam

1. Close all open relays. That way the route of email is from your ISP to their ISP. [well at least as far as SMTP is concerned]

2. Use a HashCash like system.

3. Actively deny connection from IPs that try to connect more than N times in L seconds.

Duh...

Re:duh, challenge response!

[DrSkwid]

That way the route of email is from your ISP to their ISP

So I should shut my mailserver off because YOU get too much spam, I think not.

and oh, my ISP made the mistake of having the web server release the /etc/passwd file through an shtml include and now EVERYONE from that ISP is being regularly spammed. Worse bit is I told them about the vulnerability 3 years ago!!

IPs that try to connect more than N times in L seconds.
gosh I'm sure the spammers will never notice that one

I cant get to the hash cash but if it's the old "generate a hash key for each email" it's equally flawed. Spammers have plenty of time

TMDA is one way, to prevent you from seeing spam

Re:duh, challenge response!

[digitalsushi]

I am a netadmin for an ISP, and I can agree, spam is really just a horrible thing. I get about 70 spams per day per box. When I look at all the things we need to combat on a continuing basis, I feel sad.

Then I think to myself, "this isn't working. there needs to be a fundamental change to how we receive email."

And the first thing that pops into my mind, is white list email. Well, there goes 100% of the spam problem, unless you have sleazy friends.

What happens when someone not on your list sends you an email that you actually need to get? *sigh* It then falls back to us fighting the loosing battle.

Re:duh, challenge response!

The idea is that it takes a certain amount of physical time to calculate the hash and therefore you cannot expect to be sending 10000s of addresses, unless you're backed by a gigantic cluster of machines all working in parallel and calculating the hash.

If you do have an open relay then you're full of shit.

Re:duh, challenge response!

[tomstdenis]

So I should shut my mailserver off because YOU get too much spam, I think not.

No, my point is that email should be point to point.

For instance, I have a yahoo.com account. When you send me an email it should go from whatever server you use directly to the yahoo.com mail server. That way if you spam me I can tell right away where it came from since yahoo.com will register it.

Tom

Re:duh, challenge response!

[tomstdenis]

Use a point system. For each unique IP that hits you they have a score. Starting at 0 [neutral] which can be reset every L seconds [say every day] then when you get abuse reduce the score and when you get good packets increase the score.

Then you can setup some form of payment scheme based on the scheme. Like if an IP has a score of -5 they must do the equivalent of 5 seconds of work [say find a 24-bit hash collision given a challenge from the server] before the email is even processed. That way if a server keeps abusing your server they will not get much through quickly. You can even perform one sided signatures to verify they didn't make up the challenges.

For example,

your server has a random key [fixed] say 128-bits call it K

When I want to send a message you send me a timestamp T, a challenge string R and the result of V = hash(T || R || K) where || means concatenation.

I then have to find a k-bit collision for hash(T || R) which I send back with V, T and R. The server can then verify that the packet is legit since it can check that hash(T || R || K) == V [these are the values sent back except K which only the server knows]. The server can then check that the collision is valid.

Some basic rules for scoring [e.g. demerits]

1. Sent from any type of relay
2. Sender matches a known abuser [i.e ORBS list or something]
3. reply-to does not point to the address of the sender [e.g. fake reply address] or otherwise invalid return path.
4. message matches some known heuristics [e.g. virus, worm, spam]
5. Sender has tried to open a port L times in the past N seconds.

[etc]

That won't stop people from openning a zillion connections but it will stop spam from reaching the end consumer as quickly [not entirely] as before.

This is also less user oriented. This system is intended to punish the ISP not the end users. So an ISP which has low ratings will have to clean up their act on their own [e.g. its in their own interest].

You're thinking "so you want my server todo work?" here's the beauty of the scheme though. If you have a >= 0 rating then the other server will not make you do any work. So as long as your system is clean there is no pain.

Tom

Re:duh, challenge response!

A white list system would solve most of the spam problem, but the users' security would be seriously compromised. If such a "friends list" existed for any user, it could and probably would be accessed by government or others for nefarious purposes.

Why not have all MTA software identify itself as an open or closed relay? For each MTA that does not identify itself as closed, Helpful administrators elsewhere could then have a message automatically sent to the relay's administrator. The message could include an attached patch or other means to stop the relaying.

An MTA that identifies itself as closed to relaying, but which relays anyway, would provide enough reason to be blocked.

Re:duh, challenge response!

[DerFeuervogel]

From tomstdenis.home.dhs.org/
<Page Cut>
Pro MS?

Yeah you heard right I am pro-MS. Why? Because nobody else is.

As you read this Perl processed Apache served page please keep an open
mind why I think MS is not such a bad company.

The monopoly

Ok so you guys think because MS packs IE and MSN stuff with Windows it
is a monopoly right? Well monopolies only exist where alternatives are
removed from the playing field. Goto msn.com and type in Mozilla into
the search box.

</Page Cut>

Oh well even the smart ones can be misguided :^)

Re:duh, challenge response!

[jazman_777]

Worse bit is I told them about the vulnerability 3 years ago!!

Just be glad you're not in jail for knowing that and telling them.

Re:duh, challenge response!

[DrSkwid]

From HashCash's site :

For example, my workstation is able to test 27,000 hashes per second. A 19 bit hash collision takes on average 20 seconds to produce at this rate. If I am charged by recipients a 19 bit hash for each email I send, I can only usefully send 4320 mails per day.

I send a weekly newsletter to our registered members. It's not unsolicited. We have over 50,000 registered members and our two year target is 100,000.

My current server is nicely specced. 800Mz P3 256mb ram, 20gb HD. It easily serves the website and the newsletter. It's going to be 5 years before it needs any sort of upgrade. I like this.

With HashCash suddenly I'm going have have to consume 23 days of CPU time per 7 days. So I'm going to need another 3 machines JUST TO SEND THE NEWSLETTER. And in 5 years time maybe I'll need at least another 2. So with a mtbf for HD's of about 5 years suddenly my co-lo is going to see me once every year instead of once every 5.

And all because YOU couldn't look after your email address properly.

thanks.

Re:duh, challenge response!

Wouldn't it be worth it if you never got a spam again?

And how about this: instead of mass-mailing your newsletter to 100k "registered members" who may or may not be interested in reading each one, post it on the web for them to retrieve at their convenience. Then you know no one's getting it who doesn't want it. They can sift through the back issues if they want. And you're not paying for the hardware and the bandwidth to push it to them. Sounds like a win-win to me...

AC.

Re:duh, challenge response!

[DrSkwid]

Wouldn't it be worth it if you never got a spam again?

instead of mass-mailing your newsletter to 100k "registered members" who may or may not be interested in reading each one, post it on the web for them to retrieve at their convenience. Then you know no one's getting it who doesn't want it.

Well my newsletter example was a bit specious, it's not that regular. And we do mailouts from one group of customers to another (B2B and B2C).
Some of which are just subgroups of our 50k+ depending on their preferences.

Don't get me wrong, I'm all for a change the method of email delivery to combat unsolicited email. I just think HashCash idea is too costly when there are legitimate mass mailings to be done.

I respect my users unsubscribes so I know everyone who get's it still wants it.

Re:duh, challenge response!

[cicadia]

No, email should not be point-to-point.

To use your own example against you, consider this -

First, there is no single yahoo.com mail server. They host millions of email accounts, and probably have several back-end servers handling the volume of received mail. You couldn't sent mail directly to the mail server if you wanted to. Even at the front-end side, a quick mx lookup shows three servers which will accept mail for the yahoo.com domain. There are multiple paths that email can take en route to its destination, and they are each just as valid as the others.

Secondly, most home users don't even operate an SMTP service. Their messages necessarily have to go through one or more relays, to be queued, and resent if there are delivery problems the first time. The alternative to this is to require everyone to operate a full-blown SMTP service on every machine from which mail might originate, so that they can handle things like delivery delays, bounced messages, and the like.

The reason that email works like this is that the Internet is a collection of Inter-connected networks, which don't necessarily pass all traffic freely between each other. Companies have border routers and firewalls, or use Novell or other non-ip-based networks internally, but the email still has to end up at the recipient's machine. This is fundamentally different than the way that the World Wide Web works. On the web, you can assume that every HTTP server has an IP address, and you can contact it directly. With email, you can make no such assumptions. Not everyone uses POP to get their mail from publically accessable mail servers.

Of course, that being said, I agree that closing open routers is generally a good thing. There really is no reason for mail to have to pass through more than one relay to cross the public portions of the Internet, and mail that does should at least be forced to be honest about its origin. This would do a lot to discourage spam.

Anyway, I'm sure you knew most of this already, but I am dismayed by the number of people who think that stopping spam is a simple matter of 'fixing' the routing, and that email is essentialy the same thing as HTTP, only on port 25.

Re:duh, challenge response!

[Paul+Wright]

The latest stuff I'm seeing from the Camram (Campaign for Real Mail) website suggests that a hash would be necessary for initial contact, but that after that people would verify each other by using keys exchanged in the initial contact.

This means that if you're running a mailing list, the initial signup procedure (where you confirm that the address you've been given really did want to sign up, by sending them back an email) will do the key exchange, so after that you're only doing some crypto rather than a hashcash calculation. Still more expensive than conventional email, but not deliberately expensive.

For an example of a cryptosystem which works in this way, see Herbivore

Re:duh, challenge response!

I'd like to say that you are full of shit, but that wouldn't be nice. Of course legitimate mailing lists are allowed to be sent, it just takes some set up to work out. There was some crypto paper which explained the hashcash concept and mailing lists were taken into account there.

Re:duh, challenge response!

full of shit? hehehe

I can only form my opinion on the information I had, which is why I asked the question. The HashCash site was unavilable, all I had was the google cache of the first page, which said 20 secs per email.

so fuck you :)

Slashdot...

from the people who brought you nuclear weapons...

Eve

maybe they're selling

[nomadic]

Quality merchandise.

What AT&T Needs...

[rickthewizkid]

... is a bewolf cluster of spamfilters...

Okay, so it was funnier before I typed it...

Re:What AT&T Needs...

no, actually it was never funny. sorry, ;)

Re:What AT&T Needs...

[Zathruss]

Especially since he didn't even spell the bloody thing properly.

Designated email deliverer.

[satanami69]

The only reason that spam is a problem is because everyone has access to email you at your email address. It's the same problem with your phone. Anyone can punch in your number from their phone and dail you directly.

Your P.O box, however, can only be given mail from the actual Post Office. (I'm making an open-relay analogy) Nobody can walk in from the street and legally place mail into your mailbox. Although using a Post Office type deliverer for mail won't filter any spam, it will keep messages that are sent from outside the "post office" deliverer.

So, we need to decide that email doesn't work for private internet messages and come up with a different tool for getting personal messages online, otherwise we will continue to get spam.

Re:Designated email deliverer.

If email weren't open it would never reached the success it has.

Re:Designated email deliverer.

[CheezyD]

How about we just blacklist all of asia like some people are doing? When they send you a message that says "remove block", reply with "fix spam". Most of these guys see nothing wrong with allowing spam, so it needs to be explained to them the hard way.

Re:Designated email deliverer.

[lordkuri]

erm.... just to play Mr. Obvious here...

How about we just blacklist all of asia like some people are doing? When they send you a message that says "remove block",

how, pray tell, would you get that message?

Re:Designated email deliverer.

[whovian]

IIRC the US post office was once trying to overtake email services over the internet -- and looking to charge a small fee per email. Although people who pay an internet service provider pay indirectly for email services through their monthy fee, I am sure they would object to paying per email on top of that. However, a small fee could deter the casual spammer and thereby reduce email glut.

Re:Designated email deliverer.

Strange, the spam I get is mainly from US-"companies" over open relays all over the world (including the US).

Re:Designated email deliverer.

[0xA]

Although using a Post Office type deliverer for mail won't filter any spam, it will keep messages that are sent from outside the "post office" deliverer.

I don't think this would help any. I jsut just as much crap in my meatspace mail box as I do spam. The only thing you would end up with is people bidding to pay off the "post office" so they could send you crap.

The only was I can think of to make something like this work is setting up an allowed sender list. Of course that won't work either, I'm sure you can think of 100 resons why in a minute.

Until spam is absolutely useless to the sender it will continue to be a problem

Re:Designated email deliverer.

[donpardo]

It's an Urban legend. See snopes.com.

Re:Designated email deliverer.

[CheezyD]

Hell, I dunno. It was in the other /. story.

Re:Designated email deliverer.

[fermion]

Your P.O box, however, can only be given mail from the actual Post Office. (I'm making an open-relay analogy) Nobody can walk in from the street and legally place mail into your mailbox.

Your analogy is flawed, as it is illegal for a non-US postal employee to place mail in any mailbox in the U.S. This keeps people from circumventing the U.S. postal service on mail delivery. Therefore, in this respect, a P.O. box has no legal advantages.

As has been discussed, cost keeps junk snail mail to a minimum. Since there is little or no cost to spam, it exists in abundance. If the U.S. postal service delivered mail for nearly free, it would matter little whether one had a PO Box or not. As many people have pointed out, the useful analogy is the telephone, and therefore our best hope is unlisted numbers and proper legislation.

Re:Designated email deliverer.

[cicadia]

Your P.O box, however, can only be given mail from the actual Post Office. (I'm making an open-relay analogy) Nobody can walk in from the street and legally place mail into your mailbox. Although using a Post Office type deliverer for mail won't filter any spam, it will keep messages that are sent from outside the "post office" deliverer.

Actually, email already works like this - nobody can place messages directly into my /var/mail spool. All mail has to go through my authorised delivery agent (Postfix), although, as you say, it doesn't help me at all on the spam front.

Re:Designated email deliverer.

The only reason that spam is a problem is because everyone has access to email you at your email address

No, spam is a problem because the spammer shifts his costs to you and your provider; it's like a telemarketer making collect calls, or a junk mailer sending his crap postage due, except that it's not as easy to identify before the costs have been incurred. The current estimates of the costs of spam are in the $billions, and are certain to rise if we don't do something about it.

Probably something in the DMCA to protect spammers

The DMCA seems to be the swiss army knife of absolute slimeballs. I'm /still/ amazed that such a law could exists in this country. I would not be suprised if it were used in the defence of spammers. Suppoes they encrypted their return address in some simple fashion? That Dimitri guy was thrown in jail for "cracking ROT13". The fucking DMCA would allow them to sue you for trying to figure out where they came from.

People...

[Goofy+Gavin]

from the god who brought you light. gotcha.

Spam ...

[nosfucious]

This ongoing 'war on spam' will only really be dealt with when two things happen:

1 Sysadmins living in a 'clue fee zone' must be wised up. This means, amoung other things, more education for sysadmins, better products and documentation, better or more translations of documentation, etc. It should be easy to obtain documentation in your local language. Every HOWTO has to have an accurate, up to date translation readily available. As should documentation for proprietory products.

I don't like viruses nor encourage illegal break-and-enter of another person's computer, but a 'whitehat' virus that shuts down the relay component of an email server would be damn handy.

2 The economics of SPAM must be altered, literally turned on their head. It costs to receive bandwidth, but (generally) little, or none at all. (The obvious exception is when you have a bandwidth intensive site that requires nice fat outward pipes). It costs so little to send, just electricity, enough money for a bulk sender (off the shelf or home brewed) and a net connection. Pay the real cost of outgoing mail and watch the volume of spam decrease to an approximation of zero.

Don't know how this last one will be achieved except via a totally new version of 'the net' (or at least a new set of RFC's).

Re:Spam ...

[shaunbaker]

That sounds like a good idea the concept of "education" over a actually disiplinary action always sounds good. I think the big problem is not a lack of education, more a lack of care. Simply many of the asian ISP's don't find it in their interests to block the spammers or close the relays for one reason or another. As evident by the previous /. thread, when most are sent emails with instructions in their native language they simply do not comply or even formulate a reply in any language of any sort. Furthermore, the language barrier is not an excuse for poor admin. The internet, like air traffic and the postal service has adopted a psuedo official language. Its not cutural imperialism just common sense. We must be able to communicate and english happens to be the largest force, so we use that. Air traffic is the same way and i belive french is the offical international language for mail. I really think the only way to make it economically in their interests to behave like good net citizens is to pull the plug until they unscrew themselves, a little collective punishment can go a long way in forcing self regulation.

Re:Spam ...

[stesch]

Sysadmins who can't read english documentation can't read english spam complaints either.

Re:Spam ...

I don't like viruses nor encourage illegal break-and-enter of another person's computer, but a 'whitehat' virus that shuts down the relay component of an email server would be damn handy.

We've got one, it's called ORBZ...

Re:Spam ...

[mesocyclone]

I am not a spam expert, but it seems to me that if I had a lot of spam to send, and there were NO open relays anywhere, it wouldn't slow me down. I would simply use the same technique that a relay server uses to resolve the address of the true recipient email server, and send the message direct.

In researching this question, I came across sites that sell software that will do the above. See .
Even worse, they will test email addresses against servers they find, locating the valid ones. And, some sell services that will do use this sort of software to send the spam.

Finally, where are most customers located? How about hotmail.com, aol.com and a few others. How hard is it to simply use THEM as the server for all the addresses going to those domains? Then you are not relaying at all. Of course, they may have filters that cut off an SMTP sender after N messages, unless it is a trusted address.

Re:Spam ...

[mesocyclone]

Oops...

Use the PREVIEW BUTTON, Luke!

The site selling spam software is:
http://www.marketing-2000.net/

Re:Spam ...

[sjames]

Don't know how this last one will be achieved except via a totally new version of 'the net' (or at least a new set of RFC's).

No need to make everyone pay because of a few spammers. Just a manditory fine of $10 (or equivilent) per spam when caught. If an ISP chooses to look the other way (spamhaus), they either get to pay the fine themselves, or have the plug pulled.

The real challenge is to keep the rules tight enough to stop the spammers, but loose enough to avoid punishing innocent providers and users who are victomized by a spammer.

Re:Spam ...

[sjames]

Sysadmins who can't read english documentation can't read english spam complaints either.

Surely, they don't have to know much english to know that a message sent to abuse with the subject SPAM is a spam. There's not really much need to read the message itself at that point.

Re: Spam ...

[elemental23]

Many mail servers will reject connections directly from a dialup to port 25. MAPS provides their DUL (Dial-Up List) for just this purpose. It's a list of known dialup or otherwise dynamic IP address ranges, and it works similar to the RBL in that connecting addresses are checked against this list before being accepted.

Re:Spam ...

[Arandir]

Yep, you hit the problem squarely on the head. Economics. Snail mail spam costs money, so what you get is limited and targeted to you or the region. But email spam is free.

The economics are screwed up somewhere. And I know where it's screwed up. Internet users do not pay for internet usage. They do pay for hookup, maintenance and service, but they don't pay for use. Someone who sends out one email a day pays exactly the same as someone who spams out ten thousand a day.

Bandwidth isn't free. But no one is charging for bandwidth. So here's my very radical solution: start charging for bandwidth. Your ISP charges you according to the bandwidth you use. And the ISPs in turn pay for the use of resources owned by other providers, services and institutions. Forget about information wanting to be free, because I'm not talking about information. I'm talking about routers, servers, cables and lines. Someone owns that router two hops away that has to route ten million pieces of spam a day. The owner of that router needs to start charging for its use. That owner may not know the ultimate origin of a peice of spam, but they do know which in which direction it came from.

Then to top it all off, start suing spammers for where appropriate. Sue them for hacking your server. Sue them for spoofing your address. Sue them if your penis doesn't grow four inches after smoking temple kiff. It may be difficult now to sue them for much of this stuff, but when bandwidth actually costs money, you're able to walk into court with a detailed list of monetary damages.

This won't stop spam. Nothing will. But it will do wonders for reducing it. Just start treating the internet as owned property instead of some mythical village commons.

Re:Spam ...

[broter]

• Your ISP charges you according to the bandwidth you use.

The problem is that if the spammer is using a relay that is very far up stream, then not only will the spammer not pay for the spam, but it will be almost impossible for the intermediate networks to track him down.

Re:Spam ...

[Arandir]

I'm not an expert in networks, especially WANs. But I'm not expecting the relay owners to charge the spammers directly. Instead, the relay owner charges the server or node that is using the bandwidth. This will eventually be filtered back to the spammer.

Please note that I am fully aware that many spammers are very creative in hiding their true identity. But unless they are actually hacking upstream servers, the charges will eventually find them.

Nothing in life is perfect (get used to it), but charging for bandwidth is a much better solution than to falsely assume that the internet is a commons that anyone can use free of charge. In real life, commons only exist in economic texts. Sure, spammers may learn more creative cracking skills to get around the bandwidth charges, but then they become criminals and then their costs of doing business become potentially exhorbitant. Certain asian countries might not care what bandwidth their citizens steal, but a few well placed liens on asian ISPs would do wonders.

Re:Spam ...

[AnotherBlackHat]

1 Sysadmins living in a 'clue fee zone' must be wised up. This means, amoung other things, more education for sysadmins, better products and documentation, better or more translations of documentation, etc. It should be easy to obtain documentation in your local language. Every HOWTO has to have an accurate, up to date translation readily available. As should documentation for proprietory products.

While I agree that education is a good thing (tm) as is documentation in lots of languages,
in the end I think this is a hopeless task. It's always September somewhere on the net, and if it only requires a tiny percentage to be clueless to screw things up, then things are going to be screwed up perpetually.

2 The economics of SPAM must be altered, literally turned on their head. It costs to receive bandwidth, but (generally) little, or none at all. (The obvious exception is when you have a bandwidth intensive site that requires nice fat outward pipes). It costs so little to send, just electricity, enough money for a bulk sender (off the shelf or home brewed) and a net connection. Pay the real cost of outgoing mail and watch the volume of spam decrease to an approximation of zero.

In 2001, bandwidth could be bought by the end consumer for less than $5 a gigabyte, (a lot less if you knew what you were doing). A typical spam is less than 10K. (Based on a semi-random sampling, 5.2K per spam.) That makes the cost, under 1/200 of a cent. If you don't send 1 to 1, and you're efficient about sending it, it's about 50 times better, or under 1/10,000 of a cent per spam. (We could revoke that bit in RFC 821 that says you have to accept at least 100 RCPT commands for each email, but that would hurt legitimate mailing lists and ISPs a lot more than spammers)

The problem isn't that spammers aren't paying for bandwidth. They do. They even offer to pay extra if they can keep spamming. If you want to make a change through economics, you need to make spam cost a lot more. For example, if sending an email to a recipient was a dollar, which was refunded if the recipient agreed it wasn't spam, then you might reduce spam.

-- Is a no soliciting sign spam?

Re:Spam ...

Pay the real cost of outgoing mail and watch the volume of spam decrease to an approximation of zero.

Care to suggest a way of determining and imposing a "real cost"? In the US, the paper spammers have hijacked the USPS. We're fed some crap about how "the bulk mail industry" is really subsidizing those of us who just wish to correspond with friends. Unfortunately I don't have the time (or the million froends) which would allow me to generate the necessary volume to get the fabulous rates so I could subsidize someone else.

Re:Spam ...

[ahodgson]

Charging for bandwidth would not stop relay-hijacking spammers. They only transmit the message body once to the relay, accompanied by thousands of E-mail addresses. E-mail addresses are not large.

A spammer could send millions of spams for only a few megabytes of traffic.

On the other hand, the open relay site would certainly be affected by bandwidth charges and that might force them to finally take action.

Re:Spam ...

[Arandir]

A spammer could send millions of spams for only a few megabytes of traffic.

Eventually those millions of spams translate into millions of individual emails, all clogging up the works. Those few megabtytes eventually become several gigabytes. Those gigabytes use limited resources. By charging for those resources, the fees eventually filter there way back to the spammer.

Like I said before, I'm not a networking expert, but here is a possible scenario. Spammer sends out an individual email addressed to one thousand recipient. The spammer's ISP sees 1K of bandwidth. So far the charges to the spammer is one one cent. But suddenly the message hits a node that routes that single message off in ten different directions. The ISP gets charged ten cents, which he passes on to the spammer. And those ten split them off again ten different ways. And once more. Those charges filter back to the spammer for ten dollars.

Re:Spam ...

[ahodgson]

They don't. There's no tie to the spammer past the first relay. The operator of the open relay gets dinged for 10 bucks (which is probably good), but the spammer still only gets charged one cent.

Besides, lots of people send a large amount of legitimate E-mail. Should I have to pay more to run my jokes list because spammers abuse their 'net privileges? I don't think so.

(Very) Slowly self-healing

[LinuxHam]

One good thing to keep in mind is that the more recent default configurations of mailer packages are configured to deny relaying. So as mail servers get updated, reloaded and replaced, the problem of open relays will become much smaller. And the clueless sysadmins will have to learn more about their systems in order to turn that function back on. Hopefully they will have had a good speaking to regarding their decision by then, too.

Re:(Very) Slowly self-healing

[CheezyD]

The Chinese Government rolls it's own distro now based off of RedHat. Who knows if they'll even update the packages, let alone secure the current release.

Port State Service
21/tcp open ftp
23/tcp open telnet
79/tcp open finger
98/tcp open linuxconf
111/tcp open sunrpc
113/tcp open auth
513/tcp open login
514/tcp open shell
515/tcp open printer
1030/tcp open iad1
6000/tcp open X11

What about "Spam" from M$?!

[garoush]

The "Spam" that I get from MS ("Windows Update" notification) is killing me. In the past two weeks I had to "update" my W2K TWICE.

And when ever I try to update, the process would break halfway because M$'s server can't keep up with the demand.

In my view, not only has M$ taken over 95% of the desktop, they will soon take over internet traffic with their daily "update".

Re:What about "Spam" from M$?!

Turn off the critical update notification hand-job.
Kill your TSRs. You'd be surprised at how well W2K runs.

Any open relay honey traps?

[reemul]

I've seen code to trap the spiders the spammers use and fill up their databases with crap. What I haven't seen is a honeypot designed just for spammers - a box that *looks* like an open relay, but not only doesn't forward the spam messages, it logs and possibly automagically retailiates against the originator. The anti-spam groups have had good luck attracting spam with email addresses set aside for that purpose, but we need to take it to the next level and have some anti-spam servers. Maybe just a simple bot to start listening on port 25 and responding like known weak versions of sendmail when accessed would do. Any of the mighty code ghods here at /. want to see what they can come up with?

Re:Any open relay honey traps?

[digitalsushi]

*shrug* maybe this will help, here

http://www.iks-jena.de/mitarb/lutz/usenet/teergrub e.en.html

Re:Any open relay honey traps?

[gewalker]

I think this sounds like a great idea.

Then I thought about it for minute, and said to myself -- that just means the spammers will learn to test for honeypotness, and the technology based war just has another exchange, but the war is still ongoing.

My father was a businessman, and he first exposed to the Internetet email concept about 6 years ago when I explained it all to him. His first non-technical question was, "Who pays for the email?" I should have listened to him. Instead, I said that it was basically too cheap to meter, whereas he saw it as a potential for abusive business practices because he remembered history where the first postal service made the recipient of the mail pay for the delivery, but was changed to the sender fairly quicker because of the abuse.

The war on spam is the good war of our generation, but I'm afraid it may be the war of our kids generation too unless we get serious about nuking the spammers.

Re:Any open relay honey traps?

[Paradise+Pete]

that just means the spammers will learn to test for honeypotness

It'd have to actually relay individual emails, but once they cross a certain threshold it goes into anti-spam mode.

Re:Any open relay honey traps?

[Eggplant62]

howzabout sendmail -bd?

Re:Any open relay honey traps?

[reemul]

So you have the honeypot act as - or even be based on - common versions of sendmail. If the spammers decide to filter out those servers for use out of fear that it'll be a honeypot, that's already a big victory. "Oh, darn, the trap system isn't as effective 'cuz the bastards just stopped making use of any of the servers based on the most popular mail system code in the world. Horrors!" Heh. And there is no legitimate reason for anyone to run any tests against the trap servers - the addresses aren't advertised, only folks hunting for an open relay will ever touch them. The test activity itself is enough to ID the source as a spammer, so that the netblock can be filtered and passed to other concerned admins, and the logs of the testing can be used to develop better defenses against future attacks. Just like any other form of IDS.

Re:Any open relay honey traps?

[reemul]

Teergrube MTA's don't help ID spammers, they just work off of a known list of addresses. It's a neat idea, but it has no value for previously unknown sources. From what I've read, teergrubing is a response to spam, not a means of detection.

Re:Any open relay honey traps?

Just in case you're wondering (it isn't explained on the linked page): "Teergrube" translates as "tar pit".

BTW, the concept looks good at first sight. Where are the drawbacks, if any?

(posting AC because I sounded to much like a karma whore for my own taste)

Re:Any open relay honey traps?

[koreth]

I've done something similar (but simpler) on my mail server; I modified qmail to add a 90-second delay before it spits out its "can't send to that address" error. Doesn't stop spammers from scanning me, but hopefully it makes their job more expensive. The delay is hopefully short enough that legitimate clients (if there are any legitimate clients that try to relay when they shouldn't) won't completely fail.

The tweak is a really easy one-liner, BTW; just add a sleep call to err_nogateway() near the top of qmail_smtpd.c.

Re:Any open relay honey traps?

[lar3ry]

This is a nice idea in theory, but there are some reasons why it won't work:

• Running any open relay, even a honey pot, is probably against most ISP's AUP. Breaking the rules to get to the others that are doing bad things is never a good idea: two wrongs don't make a right.
  
• Some ISPs use some standard tools to check their customers to see if they are running open relays. If those tools hit a honey pot, the customer who is actually attemping to fight SPAM, will actually receive a notice that they are running an open relay against the AUP, or may even get disconnected without notice.
  
• As mentioned before, it is simple to check if an open relay is actually a honey pot: have the relay send email to a known location. If the email doesn't get delivered, the spammer will know that something different is happening with this apparent relay, and will just move on to the next one.

Interesting thought, anyway.

Re:Any open relay honey traps?

Why not throddle the connection when receiving too much e-mail from a particular domian. Exception rule config file could be used to accept the ton-o-mail from partnered organization.

Re:Any open relay honey traps?

[alansz]

Many people who run honeypots base them directly on sendmail, by running "sendmail -bd" on systems that aren't supposed to be mailservers, as described in this page

Re:Any open relay honey traps?

[Dwedit]

What if it sends the first few emails properly, then acts like a honey pot, and stops all future emails except to the first few addresses?

Re:Any open relay honey traps?

[Fastolfe]

The only relay tests I've seen tend to flag a relay as open only when the message is delivered. To flag a relay as "open" once it accepts a message would give you a lot of false positives, because the MTA is always free to bounce the message later. The only way you can tell if it's relaying mail is when you get a relayed piece of mail.

Re:Any open relay honey traps?

[reemul]

I'll take this point by point:

1) You can just go ahead and notify all of the proper folks - ISP, blackhole lists, &etc. in advance. Not only will this server never legitimately send mail, so filtering everything that appears to come from it is desired anyway, putting your self on the open relay lists is a great way to attract low end spammers.

2) The code is provably not an email server, and will never be used as such. Of course, one should always check with one's uplevel provider to make sure of their policies, but running a daemon that responds like a relay but never actually sends a single email anywhere is unlikely to be illegal.

3) It doesn't matter. The simple act of the spammer checking to see if mail is delivered to a known location is enough to ID the source as an abuser - it isn't necessary for them to do anything else. The server is not advertised as being a mail server and will therefore attract not one single legitimate access. Any source that sends the trap server anything at all on port 25 beyond portscan traffic should be logged, filtered, and reported. (I don't like portscans, either, but this is to be specific against spammers.) Sure, it would be nice if the spammer spent more time with the server so that more of his operating habits could be revealed, from his test methods to the fingerprints of his outbound messages, but by touching the system at all he has already been caught. That's the beauty of running a honeytrap that is narrowly targeted and isn't advertised - there is no valid traffic to be ignored, no innocent use that needs to be permitted while sifting traffic logs for attacks. Barring use of psychic abilities, the only way for a spammer to know that the box in question is a trap is to access it in a way that will already catch them out. It might not be enough to get them TOSsed off their ISP, but it will be enough to get them known as a spammer and possibly added to the filter lists.

Re:Any open relay honey traps?

[eugene+ts+wong]

Wouldn't it be quicker to just create a Chinese and Russian HOWTO that explains how to close a relay?

I'm seriously asking for advice and discussion. I wouldn't know how to close one. It just seems to me to be so much less work.

Re:Any open relay honey traps?

[winnetou]

Yes, there are honeypots. This page gives an overview of a spam run probably from Alan Ralsky. A nice celebration of the 3rd anniversary of this article by the former head of uu.net's abuse desk:

I have stated we ARE going to implement port 25 filtering on our dial network.

Re:Any open relay honey traps?

[thogard]

I've done this....
Its cost me a net block and I had to ask for a different address block :-(

To do this properly, you must have your own /24 at least and you must relay some spam because spamers will test for open relays before they do a database dump.

What you need to do is find out you have spam and then slow down the channel. There are lots of tricks to doing this. A 2 minute sleep between liens would be handy but you can't do this at the program level since the TCP/IP layer buffers and all you do is slow down your box. SMTP says that you can give several line answers by giving a number and a dash ("250-2.1.0 junk CR 250 2.1.0 sender ok"). You can send one line every second and keep the connection open for most real smtp servers. The best option is to tell the tcp stack to get nasty. Some tricks involve not acking most of the data, or tricking the far end to drop the MTU size to 68 or less :-).

If you crash the remote end, they will forget where they have spammed before and may hit your box again and again and again but its a spammer so how can you tell?

Re:Any open relay honey traps?

[Rasta+Prefect]

Alas, there would be far, far more effective ways to test for such a system. Send the first copy of the SPAM to an address owned by the Spammer. Didn't get there? Guess it's a honeypot. No need for them to quit using other sendmail relays.

Re:Any open relay honey traps?

[gorbachev]

There're a few people running open relay honeypots with great success (in terms of attracting high profile spammers to use them).

The problem, however, is that the ISPs where the spams to those honeypots are being sent from are ignoring complaints from the honeypot originators.

A great example is Mikhail Tokarev's honeypot, which is being heavily abused by a "Mr." Alan Ralsky, a long-time, career (animal, kiddie, regular) porn spammer. Everybody, who has anything to do with preventing spam, knows Ralsky's reputation. Yet his various dialup providers are ignoring complaints.

More information in news.admin.net-abuse.email (search for Mr. Tokarev's recent posts).

Re:Any open relay honey traps?

[Syberghost]

* Running any open relay, even a honey pot, is probably against most ISP's AUP.

A honeypot ISN'T an open relay, it just looks like one to specific sites.

Accepting mail doesn't make one an open relay, only delivering it.

* Some ISPs use some standard tools to check their customers to see if they are running open relays.

If your ISP is using one of those tools and it doesn't actually require receipt of the relayed mail, you'll be doing them a big favor by pointing out the brokeness of their tool. Or, just configure the server to block connections from your ISP's IP block, other than your IPs.

Would you like some salad with that?

[the_mind_]

Spam belongs in a can!

Spam Assassin, netblock ORBS

[Cally]

The most recent Need To Know has a good piece on Spam Assassin which uses a clever points-weighted rulebase and apparently has an excellent accuracy rate. What's more it comes with a ISP-friendly daemon mode. Presumably AOL would have some scalability issues, but I'm sure this is a fixable problem.

The other possibility is a net-block equivalent of ORBS. Some on the Sec-Focus Incidents list (and other fora, over the years) have bounced around the idea of blocking netoblocks who'#s POCs don't work, or who don't have or respond to mail to the RFC-mandated abuse@, security@, hostmaster@,.. standard mail accounts. I'm all in favour. Automate probes, the way ORBS did for anonymous relays. I think this would be a Good Thing. People do have a legitimate need to communicate between Asia, America and Europe: simply dropping everything from .kr is evil and wrong, IMHO.

Finally - y'all know that anonymous HTTP proxies are just as bad, if not worse, than traditional open mail relays? Just testing ;)

Re:Spam Assassin, netblock ORBS

[ansible]

Yeah, I've been looking at that too. I'll be talking to my ISP about setting up the daemon.

Most of the spam I receive would seem to already fall into one of their filter categories. I like the auto-whitelist feature too.

Anyone here have some experience with Spam Assassin?

Re:Spam Assassin, netblock ORBS

[funky+womble]

SpamAssassin, what you mean the filter with a rule that says CommuniGate is spam software? Doh. By that reasoning, they should also have rules for sendmail, qmail, postfix, exchange, [...]

The other possibility is a net-block equivalent of ORBS. Some on the Sec-Focus Incidents list (and other fora, over the years) have bounced around the idea of blocking netoblocks who'#s POCs don't work, or who don't have or respond to mail to the RFC-mandated abuse@, security@, hostmaster@,.. standard mail accounts.

IMO domain names should be revoked unless at least the postmaster@ is verified working and being listened to, maybe by pinging on a random basis with a key that must be returned...that way, blocking all mail from domains that don't resolve would actually be quite effective.

Re:Spam Assassin, netblock ORBS

[estes_grover]

Spam Assassin is very good. My ISP uses it. Because I get mail on a shell, I can have a recipe like this inside the .procmailrc
#
:0 H:
* ? /usr/xpg4/bin/fgrep -i -f /home/xxxxx/.procmail/spam14.txt
#/dev/null
TEST ING
#
where spam14.txt contains:
X-Spam-Status: Yes
X-Spam-Flag: YES

Makes it easy to quarantine spam ;-)

Re:Spam Assassin, netblock ORBS

[captaineo]

SpamAssassin is *awesome*. I have been using it for a week, testing to see what it marks as spam. It has NEVER made a mistake yet - no spam got past it, and it never marked a legitimate message as spam.

So I consider my problems as an end user of email basically solved. The only drawback is I'm still paying for the bandwidth to download all this crud... Now if only the major ISPs ran SpamAssassin themselves...*

*Note: there's probably a big commercial opportunity here for SpamAssassin or a similarly sophisticated "fuzzy logic" spam detector!

Re:Spam Assassin, netblock ORBS

[Wanker]

I'll also give SpamAssassin a thumbs-up. My "real" E-mail address doesn't get much spam since I never give it out. However, it hasn't changed in five or six years (predating the really bad spam) so people can still harvest it from various patch contributors' lists.

SpamAssassin has only let one spam through with no false positives yet (though I'm told that it does give false positives from time to time, mostly based on people who are unfortunate enough to have a source address or mail software associated with spammers.) The one that got through was a pretty unobtrusive spam, too.

All in all, the effort to pull those few false positives out of the spam bucket is pretty minor compared with seeing the massive spam flow every day.

Re:Spam Assassin, netblock ORBS

abuse@ and postmaster@ I know, but rfc-mandatated security@ and hostmaster@ addresses?

This is news to me. Reference?

Re:Spam Assassin, netblock ORBS

[TeddyR]

The initial use of hostmaster@ was by Network Solutions when they were Internic.net the current use is defined in RFC 2142

RFC 2142
http://www.ietf.org/rfc/rfc2142.txt?number=2 142

Re:Spam Assassin, netblock ORBS

[rustman]

>>simply dropping everything from .kr is evil and wrong, IMHO.

But dropping everything from an open relay isn't?

Re:Spam Assassin, netblock ORBS

[ahodgson]

Nope. It's generally the only way to make them fix the problem.

Besides, you bounce it. The sender knows the message didn't get through.

Re:Spam Assassin, netblock ORBS

The most recent Need To Know [ntk.net] has a good piece on Spam Assassin [taint.org] which uses a clever points-weighted rulebase and apparently has an excellent accuracy rate. What's more it comes with a ISP-friendly daemon mode.

From the description it's not nearly as effective or ISP-friendly as blocking the spam at the MTA. What I'd like to see is more providers offering their customers a choice of raw.domain or blocked.domain, where raw.domain was lightly filtered and blocked.domain made heavy use of public and private DNS and IP block lists.

The other possibility is a net-block equivalent of ORBS. Some on the Sec-Focus Incidents list (and other fora, over the years) have bounced around the idea of blocking netoblocks who'#s POCs don't work, or who don't have or respond to mail to the RFC-mandated abuse@, security@, hostmaster@,.. standard mail accounts.

How does this differ from rfc-ignorant.org? Which, BTW, is a very useful site.

I'm all in favour. Automate probes, the way ORBS did for anonymous relays. I think this would be a Good Thing.

Some people consider the probes to be net abuse, and they have some good arguments in favor of their position

People do have a legitimate need to communicate between Asia, America and Europe: simply dropping everything from .kr is evil and wrong, IMHO.

It may be unfortunate, but if a provider's customers want him to block and entire country because of excessive spam, it is neither bad nor evil to comply. But it is evil for the administrators in that country to make it necessary.

A good analogy is vaccination. Most effective vaccines have side effects; some people get seriously ill or even die from them. But on balance the vaccines save more lives than they cost. Whenever we learn how to make safer vaccines that are just as effective but safer, we phase the old ones out. Similarly, if someone can come up with a technique that is just as effective as a massive block, with less collateral damage, administrators will be happy to adopt it. Blocking individual IP addresses, however, is ineffective.

Optionally publish valid mail servers for domains

I often get email where the from domain claims to be yahoo.com, but it was sent via an as-yet un-rbl'd server. As it stands your smtp server will accept a mail from anywhere not in a block list, with no checking on whether the server sending you the mail is a legitimate server for that email's claimed from address.

In the same way that RBLs are published via DNS records, it could be useful to have a scheme whereby for your email domain you can advertise (via dns) what hosts are authorised to send email for that domain.

So a mail comes in from a yahoo.com address, you do a dns lookup on the incoming connections ip address appended to validservers.yahoo.com or whatever the convention decided upon is, and the result would tell you if it's valid. You'd also need a way to check that yahoo.com is actually advertising the valid mail servers (and if it isn't, you failsafe and accept the mail).

This scheme wouldn't be compulsory, and would probably be suited mainly to free email providers, large corporates. The downside of it is that if you have a yahoo.com address, but want to run your own smtp server to deliver your mails, then you'd fall foul of such a system. I don't think that's a biggy though - if you could run your own smtp server, you'd probably not use a yahoo.com address you'd have your own domain :).

While I'm rambling, another system which could be done is a protocol for verifying email addresses (you could also do this via dns too, I guess, but dns is getting cluttered enough as it is). For a given email domain it has an entry (in dns) for an email address verification server. When an email comes in, you check if there's a verification server for the source domain of the email, and if so try connect to it, and then submit the email address for verification. Depending on whether it says yay or nay, you accept or reject the mail. If they're not running a verification service, you just failsafe. I know SMTP vrfy exists, but sites often turn it off, or it doesn't do anything useful as the external server is just forwarding mail, etc etc.

These systems wouldn't be so useful until they got adopted by hotmail.com, yahoo.com, eudoramail.com, aol.com etc, and I'm sure people have toyed with these ideas before and maybe there are downsides which outweight the benefits or maybe someone knows of implementations of such a thing.

do you have any articles without any spam?

[Cynikal]

wow with all the postings talking about spam these days, we should open a new forum dedicated to that..

spam.spam.spam.slashdot.and.spam.org

Excellent point!!

it's also possible that ATT made the foolish decision to sell the customer email database to spammers and now are forced to deal with the consequences.

Oh, hell yes i bet they sold the database. Fuck them, let 'em wallow in the perfect hell they constructed.

spam from asia, content from usa

[steadph]

The reason for the spam is because of the prepaid internet access common in asia! You buy those prepaid cards, in malls, and you are totally anonymous if you buy in cash. As discussed here, the spam therefore come from asia, but the content of the spam is from the US.

This would seem

[perraymo]

like a good chance to GET RICH FAST
and to MAKE MONEY FROM YOUR HOME

(At least for those of you living in the US, where most of my spam originates)

AT&T reaps what is sows.

When I've e-mail AT&T about people using their dial-ups to then contact open relays, the reaction of AT&T is:

Not from our network. Problem closed.

So, I have little compassion for AT&T.

Asia, huh?

[Mudge+Pinkerton-Bott]

I have seen this claim a few times; one anti-spam site (I can't remember which one off-hand) also claims Australia is one of the worst baddies, despite the fact that Australian ISPs are generally pretty quick to kill email accounts under AUPs.

I am curious as to where these "figures" come from, given the logistics of measuring internet traffic generally, let alone distinguishing between "legitimate" email and spam.

For the record, at least 95% of the spam I receive originates from the USofA.

Re:Asia, huh?

[Otis_INF]

I get 15 spam emails from .tw domains (not the fake addies, but the real origin) or chinese domains, on my old but still working mailaddy, DAILY, and that are slow days, sometimes I have more. They are for 100% useless to me, since I can't read/understand mandarin, nor am I living near the stores spamming me to pick up goodies they wanna sell me. If there is ONE thing I want to do is to shut out .tw domains from emailservers.

Re:Asia, huh?

[40000]

Apart from with my now useless Hotmail account, most spam for me is now from Asian sources (not just relayed via Asia). These spam messages aren't of the "herbal viagra $20.00" type, they are usually HTML format, advertising what looks to be a respectable (if it wasn't for the bulk emailing) store. They are usually sent to name@mysubdomain.domain.net which makes a dictionary type system seem improbable, usenet and guestbooks seem most likely for their gathering.

Re:Asia, huh?

despite the fact that Australian ISPs are generally pretty quick to kill email accounts under AUPs.

Google is your friend. And can you say Telstra?

SMTP Charges, Email Authenication?

[SkewlD00d]

How about $.001 to send an email, and $.001 when the receiver acks it, like deposits for those lugage carts in the airports? Spammers will stop real quick. =)

What about doing away w/ smtp relays? Why not save the bandwidth and send and email directly to the dest smtp? Then, the ops could just ipchains -j DENY them? I realize this defeats the nice "features" of redunancy and off-line/UUCP batch transfers of email, but oh-well.

If you're a public IP on the internet, you have to expect some DoS, and have to work w/ authorities/ISPs to catch and stop DoSers at the higher levels.

Maybe require PGP or GPG (3rd-party trust authority)?

Re:SMTP Charges, Email Authenication?

[coyote-san]

I've never seen a luggage cart accept less than a few bucks. They also keep 25 or 50 cents or so.

The point is that there needs to be economic value in doing this. Micropayments haven't taken off because it's not worth the effort to track down individuals for payments of a few cents.

To make this system work, you would need some way to identify and charge the original sender (ISP or self-hosting company or individual), and you would charge something like $0.25 per message. The ack might refund $0.20, to provide a small fee to cover operating the system.

Even if someone sent a 100 messages every day, that's only a few bucks in access fees. But the spammer who sends 100k messages in a single month would get hit hard.

Of course, there's also the problem of mailing lists, etc.

20 percent...?

--- BEGIN PARANOID RANT ---
So I guess since they know what 20% of Internet e-mail traffic is... they must be monitoring 100% of it... Hey AT&T, can you give us a pie chart that categorizes all e-mail sent throughout the Internet...? I'd like to see the data points; and even more interestingly, how you got them.
--- END PARANOID RANT ---

Re:20 percent...?

[sqlrob]

They know what 100% of mail traffic is.

I know this is slashdot, but read the article. They use BrightMail. Brightmail is reporting 20% of e-mail filtered is spam, up from 10% last year.

Re:how many slashdot posts until some idiot...

[AndroidCat]

I've always thought of block lists like SPEWS to be the Honking Big Delete Key.

If ISP can't play nice, drop their address blocks. (Dropping all of China wouldn't be much loss right now.) The trick is to block all an ISPs blocks, not just the spammer's IP. Spam friendly ISPs routinely shift the IP address. When their legit customers start leaving they'll wise up.

It gives me the warms fuzzys when some spam friendly ISP posts to news.admin.net-abuse.email, and asks pretty-please to be taken of the blocklists. (Then someone points out that they got spam from them in the last couple of days, and to take a flying leap.

AT&T, other ISPs should take advantage of this

[Silas]

I hope that AT&T tells their customers exactly what happened: "your mail was delayed because of spam". This is just the kind of incident that would help educate the masses that spam is a very real problem that needs immediate attention.

I agree with the other posters who note that the economics of Spamming need to be reversed in order to stop it, but I think that, even before that, public opinion needs to be swayed such that it is perceived as a significant problem worth addressing all over the place, not just at one ISP or for one open relay. A lot of people have just gotten used to ignoring/deleting 5, 20, 100 spam messages per day. "It's just part of using the Internet, right?" This needs to change. When things like the AT&T congestion happen, they should be used to get the public a little more outraged.

Spam is destroying the internet

[Master+Of+Ninja]

I have to say that spam is destroying the internet. I've given up trying to complain to administrators (it takes too much of my time up) so any spam i get i just delete immediately. I have one email address (with spam filters), forward me email to another address with more spam filters before I pick up my mail. This is the state I've got to in just reading my email.

Some spam is also too hard to track down. I wish someone would come up with a system to trash mail with invalid headers (e.g. from somebody@sasd.sdada - I've had stuff like this).

Like I said, spam is destroying the internet - something needs to be done about it. It wastes the time of everyone who gets it (and even spam you can read would be good - no use if it is in an Asian language I don't understand), plus wastes bandwidth.

You were speaking as a dullard.

[fmaxwell]

This is a great example of the Free Market at work!

So is the trafficking of stolen car parts. But it doesn't make it right, ethical, moral, or legal. No, spam is a great example of theft at work. The spammers are taking bandwidth and e-mail storage that they don't pay for. They are inconveniencing Internet users while costing them more money (it's Internet users everywhere that bear the cost of spam traffic, storage, filtering, and response).

This is a fantastic example of where we need more, not less, government regulation and laws. We need laws that moke people criminally and civilly liable if they send spam or pay to have others send it. We need laws that indemnify ISPs and blacklists from lawsuit for blocking spam e-mail.

If allowing some bunch of amoral assholes to interfere with the delivery of e-mail to millions of users is your idea of how the free market should work, then I cannot imagine a better argument against a free market.

Re:You were speaking as a dullard.

[frozenray]

This is a great example of the Free Market at work!

It is also a great example of the "Tragedy of the Commons" where a free-for-all resource is exploited to the point of being useless. There are two possible answers to avoid this: One is regulation (which would be cumbersome and probably ineffective, given the global nature of the Internet), or technical means (which I favor). In any case, there must be a certain penalty associated to misusing the resource, or else we'll have a econonomy-textbook case here.

Two links which might be worth a read: This and this (go up one directory for more comments).

Re:You were speaking as a dullard.

[fmaxwell]

One is regulation (which would be cumbersome and probably ineffective, given the global nature of the Internet)

I must disagree. Most spammers are not multi-national corporations trying to attract customers from all over the world. Most spammers have P.O. boxes, toll-free phone numbers, and web sites. Give law enforcement the ability to track these people down, freeze their assets, confiscate their computers, and press charges against them and the spam problem will largely go away. Junk faxes, once a scourge threatening to become as pervasive as spam, has been effectively curtailed with Title 47, Section 227. While there are the occasional junk faxes, the number of them is inconsequential compared to what it was and what it was headed towards.

Technical solutions are being actively developed and some of them are damned effective when installed at a mail server. But such tools, without legislation to address the problem, are analogous to having a bullet-proof vest in a society where it is legal to shoot peopls. Advanced filtering products should be used as an adjunct to tough anti-spam laws, not instead of them.

Re:You were speaking as a dullard.

[frozenray]

There are two conditions which have to be met for legislative regulation to be effective:

1. There must be a law against UCE which is ratified by all nations worldwide (U.N.)

2. The law must be actually enforced in all states

Nr. 1 is no problem in principle (only Switzerland and the Holy See are non-members of the U.N. today, and they will likely follow U.N. legislative practices), but it will likely take many years to work out and ratify an anti-UCE law. Individual national legislation is not the way to go here, the internet is a global network.

As for nr. 2, I doubt that prosecution of UCE distributors would get a very high priority in many states. And if a law isn't enforced (or if only a few token scapegoats are prosecuted to show good will) it might as well not exist.

Where I live, we have legislation which forbids unauthorized entry into data processing systems. That's very good, but if a teenager from the (imaginary) country of Krbzngan hacks my servers and puts me out of business, this law won't help me - in all probability I won't get any of my lost time and money back, and he will not be prosecuted because the police in Krbzngan has other priorities than going after an underage criminal (assuming that cracking is illegal under the local legislation in the first place).

I'm not saying that legislation against UCE shouldn't be done, it will certainly be successful in reducing the amount of spam, but in order to be really effective we will have to supplement it with technical means.

Not really.

Most of it does indeed originate in the US.

If you go to the person responsible that is. They're using relays over in Asia to mask themselves. There's no way most of the spam is from Asia - the spam I get is pretty well written for spam, and tends to not contain language gaffes.

I really have no pity for people outside the borders of the US who receive spam from our lowest common denominator. Secure your damned servers so the rest of us don't have to put up with Penile Implants, Free TV's, and LEGAL HIGHS!!!!. We can't do very much if you don't.

The enemy is obvious.

[Erris]

As the wired article points out, email itself is under attack here. Yesterday, I got a stupid snail mail advert from Earthlink with much the same stuff in it as I'm reading here. While promissing "raw unfiltered internet" they also claimed to be blocking more "spam"(70%) than other ISPs, AOL (40%), MSN(40%), ATT(40%). As you can see, spam is a marketing tool. Should we be supprised when compainies with the morals of M$ abuse open relays to send messages like "fck me like a slut"? Would it be supprising if a large country trying to halt communications between it's people and other countries also abused email? The abusers all have the same goal, to destroy email. The more you block, the happier they are.

God...

[Paradise+Pete]

From the people who brought you gunpowder.

Re:how many slashdot posts until some idiot...

SPEWS, ORBS, etc are fine, but we also need some agressive law enforcement against the criminals gangs that are sending spam and the companies that are paying for the spam to be sent.

Re:how many slashdot posts until some idiot...

[Grax]

Dropping all of China wouldn't be much loss right now.

I take it you don't have family or friends over there.

Blocking port 25

[Grax]

I'm not sure I like this idea but it isn't too bad.

Some ISPs block outgoing port 25 connections so that a spammer operating on their system will be unable to send outgoing mail except through their mail server. It seems to work OK. I haven't seen a lot of spam originating from Netzero which by its design should be a spammer haven.

If you do need to send email, from, say, your work account, your work should either set up a vpn or a relay on a high numbered port (not an open relay either).

Re:Blocking port 25

[coyote-san]

I'm not sure how this is related to the prior comment....

Anyway, blocking outgoing port 25 is a stupid idea. Many of us work from home and have our own domains, and we legitimately want to have our outgoing mail show our own domains, not @attbi.com or @rr.com or whatever.

There are also some practical problems:

• Can we even connect to outgoing mail filters? Some ISPs are switching to web interfaces (think Hotmail or Yahoo mail) and don't accept outgoing SMTP traffic.
  
• If we can connect, do we get mandatory advertising copy inserted? Nothing makes a contract bid look professional like a footer encouraging the recipient to sign up for some cheap ISP. (Even if this isn't common, yet, there can be some weird stuff added or changed in the headers.)
  
• Some misguided sites are now cross-referencing header and DNS information, with the result that anyone using their own domain but their ISP's mail gateway will be blocked as spam. Direct connections stil get through.
  
• Finally, there's the basic concern that the ISP could be logging email sent through their system. Yes I know about encryption, but I also know how incredibly hard it is to get people to use it. With my own mail server I can set up my system to use STARTTLS, but with an ISP mail server I may not have encryption on either leg.
  

Re:Blocking port 25

[CrimsonDeath]

That's not completely true. Most ISPs that block outgoing port 25 allow you to relay mail from any domain through their mail server.

At least that's what my ISP does. I have to set up my sendmail to smarthost through my ISP's mail server, and it works fine.

Re:Blocking port 25

[testuser58]

I'm glad you pointed that out. I've been unable to send email through my earthlink DSL account since I got it, and I always figured it was a firewall or router problem on my end. After I read your posting, I had the following conversation with an Earthlink CSR:

AnthonyM: Thank you for contacting Earthlink LiveChat. What can I help you with today?

Me: I don't use my earthlink.net email account; I use a third party's email service. However, when I try to connect to their SMTP server, I always get an error.

Me: Today I read that some ISPs block outgoing connections on port 25 to fight spammers. Does earthlink DSL do this? That would explain why I can't connect (I've tried several smtp servers... nothing goes through on port 25 to any server)

AnthonyM: The problem you are having is due to Port 25 blocking. This blocks any 3rd pary outgoing mail servers from being accessed while connected to the EarthLink network via Dialup, DSL or Cable. This has been done to elminate much of the spam originating from our customers. Most of this spam is being sent from 3rd party SMTP servers and not the EarthLink SMTP servers. All you need to do is go into your e-mail program's settings and change the outgoing mail server to either mail.mindspring.com or mail.earthlink.net. One of these will work for you and allow you to send mail while connected to your EarthLink connection without a problem.

To explain this in more "real world" terms, think of the US Mail system. All that's going in is that you're being required to use your current connection's post office (outgoing mail server) to post mark your email. Every ISP has post office server to do this for the customers connected. And just like the US Mail system, the postmark does not change the address the mail message is coming from.

This policy has been in effect for nearly 3 years on the MindSpring side of the company and is now being implemented on the EarthLink side of the company. You can find more information about this at the following site: http://help.earthlink.net/port25/

Me: Just to clarify... does this mean that earthlink's mail servers will send my outgoing mail instead of my ISPs servers?

AnthonyM: exactly right.

Me: how does earthlink authenticate me as the owner of the third party account? In other words, what's to stop a malicious person from doing the same thing and sending mail that appears to be from my account?

AnthonyM: you must authenticate to connect to an earthlink access point. only someone who is connected through our access points can use our smtp servers.

Me: It authenticates me as an earthlink user, but it has no way of knowing that I own the third-party account, I could say I'm gbush@whitehouse.gov, for instance, and it sounds like the earthlink servers would send that.

AnthonyM: as long as you are connected to us, why would it matter? it's your account.

Me: Anyway, I'll give it a try, but I'd like to point out that I don't think this is a very effective way of doing this... it might be better to just investigate people who seem to be sending massive amounts of data over port 25. Thanks for your time.

Re:Blocking port 25

[Cramer]

Yes, mindspring has been doing this for a long time. At one point, they had the dialin users "trapped" -- port 25 always goes to their mail server no matter who you tried to connect to.

Yes, you can claim to be whomever you choose, but mindspring/eartlink will be able to tell who actually sent the message by simply looking at their logs. There they will find the IP of the origination point and thus YOU. If you connect directly to some server on korea that doesn't log anything or add any header listing where the message came from, then there's no way to tell who's responsible.

The old "factor a noumber to send" idea...

[Kjella]

...and I still don't see why it won't work. Have something that'll keep my machine occupied say, five seconds per mail, which could possibly be fifty for the slowest ones out there, but hardly a crisis for a mail to someone you've never sent mail to before. However a spammer is usually sending multi-recipient messages, and in massive amounts. Thousands times a couple of seconds at full load = high electricity bill, machine costs (need a fast machine, not a P75 spitting out mails) and much slower.

Also, include the following: Address verification *after* factoring. So people scanning will have to factor on every attempt (and people who made a typo will also factor once for no result, but they do it once, not a hundred times).

Naturally, you should be able to add a group of trusted addresses and domains that don't need to do this. Also, mailing-lists and similar should have the possibility to request this. This would not be a regular mail and so can't contain spam. It'll only contain the who and what, no body. "subscribe@somewhere.com requests authorization to send you 'Somewhere.com newsletter'". If authorization is granted, your server would get back to the originating server and tell it's ok. This would be the normal opt-in message you recieve today, only now put into a system.

As the factoring should occur upon delivery of the mail, it'd have to reside serverside, so I guess there would be some privacy issues about the server knowing who you trust, but I don't see that as a big problem.

Techincally, it shouldn't be any problem:
Server: 2x pseudoprime generation, multiply, send.
Client: Factoring algorithm, return.
Server: Verify through division or comparison with original.

The problem? As long as spammers can just fall back to the old protocol, it doesn't improve anything. But if it starts somewhere, others might catch on, and in the end people might just fish out non-spam messages out of their conventional mails, encouraging them too to use the new system, and in the end just block conventional email altogether. It's a long term solution, but the end result is a lot more promising than most other suggestions I hear.

Kjella

Re:The old "factor a noumber to send" idea...

[dangermouse]

The quick and easy solution to being forced to factor large numbers before sending email is to just keep a table.

So you've added a database to the cost. woo.

Re:The old "factor a noumber to send" idea...

[Corgha]

The heart of your scheme is to make it really expensive to send thousands of mails per day. What about those of us who run sites that send tens or hundreds of thousands of legitimate emails per day on behalf of tens or hundreds of thousands of users?

Our four old single-CPU mail servers handle half a million legititmate messages per day with very little load (there are four for crazy levels of redundancy). Most of what they do is to just shuffle data around or do DNS lookups. Now you're asking them to do computationally-intesive tasks that take 5 seconds per message, so to handle the load averaged over a day, I'd now need 29 mail servers running at full CPU utilization all day [(500000 mails/day) * (5 CPU*secs/mail) / (86400 secs/day) =~ 29 CPU]. However, the load is not even over the course of the day; at peak times (mid-afternoon) the rate is easily more than five times the average. To handle peak loads of exactly five times the average, I'd need 145 servers working full-blast.

Even so, I still wouldn't have the comfortable margin I have now. For that, I'd need even more servers. Even if I could justify the outlay for the machines, I'd have to get a new machine room to house them and supply the power, UPS, and A/C. Then I'd have to set up all those machines, keep them patched, and so on. To say that would be highly unlikely for such a plan to be approved would be an understatement. Sure, spam sucks and costs legitimate people money, but is stopping it worth increasing by nearly two orders of magnitude the costs associated with running legitimate mail servers?

Granted, those esitmates are not accurate because not every mail would require CPU-intensive verification, but some of them would, possibly a good portion of them if your proposal were widely accepted. The worst part is I would entirely dependent on some remote sysadmin putting my servers on his list of "trusted" servers. Do you realize with how many other sites and unique email addresses we exchange mail? Don't sysadmins have enough to do without spending their time maintaining such a list? Even in the highly-unlikely best case, where the system operates perfectly, every mail we send out is magically a hit on the remote site's list, and entries are added to the list on our site automagically, you're still talking a *huge* and growing database, and that's going to cost something (computer time doing the lookups, sysadmin time maintaining the database). In the real world, however, it would porbably be worse.

Bottom line: this may work fine on your little pentium Linux box at home running a vanity domain, but it'll go over like a lead balloon with sysadmins in the big leagues and the people who control their purse-strings. You'll have to prove to them that the absolutely certain benefits outweigh the remotely possible costs, and that implementing such a system won't disrupt or slow mail delivery in any way. Good luck on that.

I'm not saying that I couldn't be convinced that such a scheme would be a good idea, but I remain extremely skeptical. The answer to this proposal seems to be that given to so many proposals: "DOES NOT SCALE". I really need to get a rubber stamp that says that. What makes this proposal actually irksome is that the lack of scalability is deliberate.

Re:The old "factor a noumber to send" idea...

[dentin]

I understand your argument about having a legitimate need to send tens of thousands of pieces of email, and I see easy solutions for it.

Consider these possibilities when a remote host tries to send us mail:

It is recognized as a 'good' host, so we accept its connection and mail unchallenged.

It is recognized as a 'bad' host, so we challenge it and tell it we don't accept mail from spammers.

The third option is more complicated: The connecting host is unknown. We ask who the mail is destined for, and attempt to do a lookup. If the user doesn't exist, we challenge the host, then after getting a response reply that the user 'either does not exist or is not accepting mail from you.' If the user does exist, we open ~user/.somemailrcfile and take actions based on that: The sender might be known good, in which case we accept the mail without challenge. It might be known bad, in which case we deny with the same 'does not exist' reply as above. Otherwise, we just challenge and accept the mail.

This gives system administrators the ability to form the mail networks they need, but it also puts the power of white and black lists in the hands of the users, where it is needed. If I, as a user, don't want to ever receive mail from *.tw, I should be able to tell the system mailer that. Filtering after the fact (with tools like procmail) means the mail still got delivered and consumed bandwidth.

In some ways, this also solves the opt-in/opt-out mailing list problem. If you have a mailing list and you send to a lot of people, you'll have to deny sending to any users/hosts that challenge you. If the user really wanted to be on your list, the user would have to add your list to his personal 'do not challenge' list.

This would also make it easy to unsubscribe - simply remove the list from your 'do not challenge' list, and you would be automatically dropped from the list.

I also don't see any insurmountable problems with forwarding. What do the rest of you think?

-dentin

Re:Optionally publish valid mail servers for domai

[spazimodo]

you can do this already. Do an RDNS lookup on the IP of the server and reject it if the domain in the 'from' doesn't match.

On spam

[perlyking]

I am very careful with email addresses - though obviously not careful enough :-)
This week I recieved my first ever unsolicited email from my own country - a real world business {thats choiceco@aol.com , choicewatford@aol.com and info@choiceofficefurniture.com for any spambots reading!! Fight fire with fire ;-) }

As far as the spam from US people using open relays in asia, sure shut them out/down - unfortunately the spammers wont give up quite as easily as that, i'm sure they will find some other way to send their crap.

No way

[Mustang+Matt]

Do you seriously think that spam is coming from ancient linux distributions?

No way... It's come from brand new machines with dual processors and half a gig of ram that are ready to process a LOT of email.

These people aren't being exploited with open relays... Some are but most aren't. They're being paid to place open relays out there.

What do they care, American businesses want to pay them to spam Americans. Many of them don't even like Americans anyway.

Asian ISPs don't care or we would have heard from them by now.

Blacklisting Asia is not such a bad idea. The biggest problem with blacklisting asia is all the people that won't unblacklist them if they get their problem fixed.

Re:No way

[Pstrobus]

Blacklisting Asia is not such a bad idea. The biggest problem with blacklisting asia is all the people that won't unblacklist them if they get their problem fixed.

And the fact that most of my spam comes from .it and .ru. So does that mean we need to start blocking Europe as well as Asia? And if we do block Europe, eventually we'll only be able to send mail to 127.0.0.1 Then again, that might mean folks will stop sending chain letters "get free stuff!" "hug your friends!" bah.

Qohelet was right "there is nothing new under the sun."

Korean Spam is the Worst

[Nova+Express]

I think, if anything, the article understates the Asian Spam Problem. Over half of the Spam I get is from Korea, and 90% of that is Korean language spam. I have complained literally hundreds of times to the various Korean Spam domains involved (kornet.net is the worst, but hananet.net, thrunet.com, and dreamx.net aren't far behind), to every "official" e-mail address I could find or think of (see below), all to no avail. In fact, the amount of spam actually increased. If any Slashdot readers actually speak Korean, you might send e-mail to the following addresses and let them know that their spam problem is so bad that rest of the Internet is in the process of blocking all e-mail from all of Korea in response to their sins.

Kornet.net (the biggest offender)

abuse@kornet.net, ip@ns.kornet.net, ip@ns.kornet21.net, domain@NS.KORNET.NET, donghk@soback.kornet.net, ever@kt.co.kr, jeonnam3@soback.kornet.net, jeon@kornet.net, jeonbuk3@kornet.net, koreatelecom@KORNET.NET, gfd5246@soback.kornet.net, gspark@kornet.net, help@KORNET.NET, helpdesk@KORNET.NET, haewha1@soback.kornet.net, heyeunmi@kornet.net, kmhno1@soback.kornet.net, hopewon3@soback.kornet.net, kgromc@soback.kornet21.net, kmhno1@soback.kornet.net, legal@KORNET.NET, network@kornet.net, packet@soback.kornet.net, postmaster@kornet.net, postmaster@soback.kornet.net, postmaster@ns.kornet.net, postmaster@soback.kornet.net, pusanpub@soback.kornet.net, root@soback.kornet.net, root@kt.co.kr, service@kornet.net, support@kornet.net, system@kornet.net, yjjeon61@kornet.net, abuse@ns.kornet21.net, domain@ns.kornet21.net, network@ns.kornet21.net, postmaster@ns.kornet21.net, resume@kornet.net, root@ns.kornet21.net, service@ns.kornet21.net, support@ns.kornet21.net, system@ns.kornet21.net, wong@kornet.net, abuse@ASADAL.NET, postmaster@ASADAL.NET,

Itnsoft.com (the #1 spamvertised Korean domain)

abuse@itnsoft.com, help@itnsoft.com, ip@ns.kornet.net, hostmaster@nic.or.kr, marom@itnsoft.com, postmaster@itnsoft.com, root@itnsoft.com, eglee@yesnic.com, info@yesnic.com, hostmaster@yesnic.com, postmaster@yesnic.com, eglee@whois.co.kr, postmaster@whois.co.kr, whois@whois.co.kr, brkim@INWANG.NOWCOM.CO.KR, domain@NOWNURI.NET, busisik@nownuri.net, kbr@nownuri.net, memory@nownuri.net, abuse@nownuri.net, postmaster@nownuri.net,

DreamX.net (Korean porn spam, mostly)

abuse@dreamx.net, abuse@cjdream.net, abuse@todream.net, admin@dreamx.net, admin@cjdream.net, administration@dreamx.net, administration@cjdream.net, billing@DREAMX.NET, billing@cjdream.net, brkim@cjdream.com, dns@dreamx.net, dns@cjdream.net, dnsadmin@dreamx.net, dnsadmin@cjdream.net, domain@DREAMX.NET, domain@todream.net, domains@DREAMX.NET, domain@todream.net, feedback@DREAMX.NET, feedback@cjdream.net, help@DREAMX.NET, help@cjdream.net, helpdesk@DREAMX.NET, helpdesk@cjdream.net, hostmaster@dreamx.net, hostmaster@cjdream.net, inhanna@cjdream.net, info@dreamx.net, info@cjdream.net, jyan@dreamx.net, jyan@cjdream.net, ley319@dreamx.net, loveabuse@dreamx.net, loveabuse@cjdream.net, mail@dreamx.net, mail@cjdream.net, mgr@cjdream.com, news@dreamx.net, news@cjdream.net, newsabuse@dreamx.net, newsabuse@cjdream.net, postmaster@dreamx.net, postmaster@todream.net, raven3@dreamx.net, raven3@empal.com, root@dreamx.net, root@cjdream.net, soip@cjdream.com, sales@dreamx.net, sales@cjdream.net, sbkim091@dreamx.net, sbkim091@cjdream.net, service@DREAMX.NET, service@cjdream.net, solhan@cjdream.net, spam@DREAMX.NET, spam@cjdream.net, support@cjdream.net, support@dreamx.net, sysop@DREAMX.NET, sysop@cjdream.net, sysop@todream.net, tech@dreamx.net, tech@cjdream.net, technical@dreamx.net, technical@cjdream.net, technicalsupport@dreamx.net, technicalsupport@cjdream.net, system@cjdream.net, system@dreamx.net, sysop@todream.net, ykshin@cjdream.net, ykshin@dreamx.net, eglee@yesnic.com, info@yesnic.com, hostmaster@yesnic.com, eglee@whois.co.kr, brkim@INWANG.NOWCOM.CO.KR, domain@NOWNURI.NET, kbr@nownuri.net, memory@nownuri.net, busisik@nownuri.net, abuse@nownuri.net, postmaster@nownuri.net, inhanna@sysone.co.kr,

Thrunet.com

abuse@thrunet.com, abuse@korea.com, admin@thrunet.com, admin@korea.com, administration@thrunet.com, dns@thrunet.com, dns@korea.com, dnsadmin@thrunet.com, domain@thrunet.com, feedback@thrunet.com, feedback@korea.com, help@thrunet.com, helpdesk@thrunet.com, hostmaster@thrunet.com, mail@thrunet.com, mail@korea.com, news@thrunet.com, news@korea.com, newsabuse@thrunet.com, postmaster@thrunet.com, postmaster@korea.com, root@thrunet.com, service@thrunet.com, support@thrunet.com, sysop@thrunet.com, tech@thrunet.com, tech@korea.com, technical@thrunet.com, technical@korea.com, technicalsupport@thrunet.com, youngkim@thrunet.com, youngkim@korea.com, hostmaster@nic.or.kr,

hananet.net

abuse@hananet.net, bluelinux@hananet.net, domain@hananet.net, domains@hananet.net, feedback@hananet.net, help@hananet.net, helpdesk@hananet.net, info@hananet.net, hostmaster@hananet.net, lee@hananet.net, linux@hananet.net, news@hananet.net, postmaster@hananet.net, root@hananet.net, service@hananet.net, spam@hananet.net, support@hananet.net, system@hananet.net, sysop@hananet.net, tech@hananet.net, technical@hananet.net, webmaster@hananet.net, WooJooLee@hananet.net, WJLee@hananet.net, ysjeon7@hananet.net, bspark@kci.co.kr, bluelinux@YAHOO.CO.KR, abuse@YAHOO.CO.KR, postmaster@YAHOO.CO.KR,

KIDC.NET

abuse@KIDC.NET, billing@KIDC.NET, dnsadm@KIDC.NET, domain@KIDC.NET, guard@kidc.net, helpdesk@KIDC.NET, hostmaster@KIDC.NET, hostmast@KIDC.NET, hjryu@kidc.net, ishan96@kidc.net, postmaster@KIDC.NET, root@KIDC.NET, security@kidc.net, support@KIDC.NET, abuse@BORA.NET, anti1473@bora.net, b4012391@users.bora.net, badmail@bora.net, billing@BORA.NET, dnsadm@BORA.NET, domain@BORA.NET, help@BORA.NET, ipadm@bora.net, ipadm@nic.bora.net, hostmast@BORA.NET, lyt082@bora.net, news@BORA.NET, postmaster@BORA.NET, root@BORA.NET, security@BORA.NET, sysop@BORA.NET, ysjeon7@bora.net, sexxkorea@hanmail.net, abuse@hanmail.net, postmaster@hanmail.net, hostmaster@hanmail.net, abuse@chollian.net, muscle73@chollian.net, zcedomain@chollian.net, znotice5@chollian.net, abuse@kr.iasiaworks.com, postmaster@kr.iasiaworks.com, webmaster@kr.iasiaworks.com, 1004@domain1004.com, I@i1004.com,

Re:Korean Spam is the Worst

Now that you posted these email addresses on slashdot, maybe their bots will pick em up and add them to the spam list :-)

Re:Korean Spam is the Worst

- I have complained literally hundreds of times to the various Korean Spam domains involved (kornet.net is the worst, but hananet.net, thrunet.com, and dreamx.net aren't far behind), to every "official" e-mail address I could find or think of (see below), all to no avail. In fact, the amount of spam actually increased.

You should NEVER reply to spam. If you do, they'll know that you actually read mails, then your address will gain some sort of marketabilty, and this will end up in receiving more and more junk mail.

Spam effects a good thing?

[Todd+Knarr]

Maybe this is a good thing. First, it provides a graphic rebuttal to the people who say "Why worry about spam, just hit the Delete key and it's not a problem anymore.". A slowdown like this is a big problem, and hitting the Delete key won't solve it because the servers are still bogged down delivering it so you can delete it.

Second, if the majors like AT&T start getting affected like this, maybe they'll start taking it seriously as a "this is going to cost us customers" problem. The spamhauses have hidden behing the fact that it doesn't cost their providers much to keep them around and they do pay their bills. If this kind of realization sinks in, the majors may start looking for the ultimate source of the spam (not just the relay they used, but the person/company actually responsible for the spam) and punting them from their networks completely to avoid ticking off the other major players. If I call UUnet and complain about a paying customer they're not likely to listen. If AT&T calls UUnet, they've a slightly bigger club to wave.

It's not all from Asia...

[sconeu]

I got spam from the DNC. They use Cheetahmail.

Now, I'm a registered Libertarian, and have never given the DNC my email, or any indication that I want to hear from them...

Go figure.

20% of all emails...

[tcc]

See? this is where I think the Gov. is failing. We got something that we all commonly HATE: SPAM.

We have a common target on which we'd love to see some LEGISTLATION against it, for once.

And what is the Gov. doing? Passing laws left and right to protect big corporation, to reduce your rights as consumers, to be a complete pain in the ass and give themselves the right to sue the planet, but what is being done for the VOTERS, the USERS, the people paying the tax dollars?

Well this is one case of an EASY win of public opinion, heck, they could even pass a few bad things without people noticing it because we'd be so impressed that our elected people actually did something for the PEOPLE.

Ok this sounds like I am frustrated against the system but you get the idea... of course a global spam law and action will be taken one day... when all the big corporations will be really pissed. Or major ISP be fed up paying bandwidth for SPAM, Look now AT&T is starting the run, shouldn't take long now before we get something out of this.

I think blocking ASIA would be a good thing, a pain in the start, obviously, but for a good cause, when they'll see they can't conduct buisness properly, they'll move and close those open relays and hey, screw human rights on spammer, you can KILL the biggest of them and I don't see anyone here who'll be really upset, for once :).

Spam is doing 20% of the global traffic, the numbers are about right with what I see in my mailbox, as for my hotmail mailbox though, it's more like 95%.

Re:20% of all emails...

There are laws on the books forbidding advertisements via fax. Does this stop fly-by-nighters from sending advertisements via fax? Nope; only respectable companies with something to lose don't stoop to it. Few fax owners believe it worth their time to complain about these ads, so most such advertisers go unpunished.

Laws are utterly ineffective if they aren't (or can't effectively be) enforced.

Re:Optionally publish valid mail servers for domai

[LordNimon]

Unfortunately, that will block people who use their own computer as a sendmail server. My From: line contains my correct email address, but I don't have a sendmail server running on that domain.

IMHO, the only real way to stop spam is when all ISPs worldwide adopt a policy that 1) validates a credit card when someone signs up, and 2) charges that credit card a fee if the user spams. Sure, this will mean that no one will be able to get Internet access in less than 24 hours, but so what?

Re:Optionally publish valid mail servers for domai

[John+Murdoch]

Hi!

When an email comes in, you check if there's a verification server for the source domain of the email, and if so try connect to it, and then submit the email address for verification. Depending on whether it says yay or nay, you accept or reject the mail. If they're not running a verification service, you just failsafe. I know SMTP vrfy exists, but sites often turn it off, or it doesn't do anything useful as the external server is just forwarding mail, etc etc.

This would be a problem for notebook users. If you're running a POP3 server in a corporate environment, one of the problems you have to contend with is traveling users (sales people, etc.) who want access to mail, and want to be able to send mail at the same time. One solution (for Windows NT users) is to implement the SMTP server that's built into NT. Have the road warrior send from his local SMTP server, but retrieve his mail from the corporate POP3 server.

One could, I suppose, simply add all those road-warrior notebooks to the list of authorized MTAs. But in a large-ish corporation it might be a record-keeping nightmare.

Demonstrable Damage and A License to Drive

[erroneus]

Okay... now that business interests are being demonstrably damaged (affected) maybe something can and will be done!!

Proof of damages clearly removes the age-old argument "just delete it! don't be such a whiner!"

The "Asian" spam people are concerned with doesn't always precisely "originate" from asia in the truest sense, however, it does come from mail relays being prone to being open.

On today's roads, a driver's license is required in most countries and certainly in the U.S. The purpose is at least partially to demonstrate proof that they have met minimum required skills and knowledge to operate a vehicle lawfully and safely. I hate to say "Hey, we need even MORE legislation" because I generally stand for smaller government. However, I believe that since the IIS flaws which still exist today (along with unpatched and currently still infected operating Windows boxes) combined with other people running servers with open relays among many other problems, I'm beginning to think that having an operator's license (not unlike a radio operator's license) should be required for internet usage.

Not only could this better raise awareness of security, but also netiquette and some basic technical understanding about the net and how things operate.

So, to just run a "client" computer, no license or something very minimal should be required. To run a personal or private server (email, web, ftp, whatever...small or limited use) something of a "Class C" license should be required. ISPs and hosting companies should require a professional license and such.

I don't propose that these cost any money or require any given renewal concerns. Costs should be extremely minimal to the point that it doesn't matter and only serves to fund the project. I just think that while we can't have "joe user" installing a Windows Server or some default *NIX to utilize the internet should be held accountable for his lack of knowledge, skills or ability as it DOES affect the rest of us in some way or another. Negligence in other areas of life are punishable offenses.

As things stand now, the internet is treated as a concern that is separate from daily life, however, I hold that for some, the internet is as essential to public access as our roads are! I don't think this notion is far fetched and I don't think it will "shut out" too many people.

In addition to that, suspending a license could be a more appropriate punishment for certain hacking activities as opposed to life in prison and never again accessing a computer device.

Anyway... I'm sure this idea in its basic form has a great deal of merit and will serve the public good. The devil is in the details and we should be very careful with its implementation. (example: licensing/certifying Operating Systems as 'internet safe' and such might be an issue of great concern and commercial interest.)

They should use Vipul's Razor

[Colin+Smith]

http://razor.sourceforge.net/

Re:They should use Vipul's Razor

An alternative is to use a White List strategy.
Try using TMDA.

AT&T mentioned this in the internal support gr

[Fencepost]

The cause of the mail slowdown has been discussed in the worldnet.* internal groups.

DMA mail servers

I was just thinking the other night how ironic it would be if the DMA's mail servers were using ORBZ/ORDB or were an RBL subscriber. I think I might take the time to bounce something off of an known open relay and see if the DMA kicks it back.

Heh - most amusing (and of course unlikely) would be a court order forcing the DMA to disable any and all spam interception on their systems. Let them reap what they have sown.

Re:Optionally publish valid mail servers for domai

[sjames]

One could, I suppose, simply add all those road-warrior notebooks to the list of authorized MTAs. But in a large-ish corporation it might be a record-keeping nightmare.

Just use authentication for them. Surely, it wouldn't be any harder than keeping user accounts on the intranet servers up to date. It could even use the same authentication database.

Whitelists are the only way to fly

[phillymjs]

I hate spam with a passion, and go to great lengths to keep from even seeing it in my In Box.

I still keep an AOL account, and it was YEARS ago when it hit the point where it became more convenient to block all mail and have to add someone's address to my whitelist before they could send me anything, than to delete all the spam that hit that account without the whitelist.

I do much the same thing with my regular e-mail client. The last rule enacted on messages that aren't filtered out by the rules before it, basically puts everything into Deleted Mail, and it gets trashed automatically after 3 days. I peek in there once per day and almost never have to adjust any rules because non-spam accidentally was marked as spam.

~Philly

Nevermind Open Relays Old Version of Formmail

[doon]

Got hit with this a couple days ago. Hmm, Why am I (postmaster) getting 400 bounce messages from one of our webservers? (we are an isp).

Starting digging through the logs and find an autotmated tool is using an old version of formmail that one of our users had installed. Seems like a spider found that is was a formmail cgi and tested it and found it to be vulnerable. so It sent e-mail to an aol box. 4 hours later what appears to be a Windoze program using the Microsoft URL Control is Sending tons of messages through this formmail cgi. By passing any rules we have setup in the mail server to dynamic blackholing of people that send too many messages or messages with too many invalid to's in the header, cause it came from a trusted host.

Besides that fact that I was pissed, I was intrigued. That was pretty slick, once you start closing down one way for them to spam they keep coming up with more.

On a side note we have found that if you simply strictly follow the RFC's you cut back a lot of mail you accept, and also Doing a reverse dns lookup, just to make sure their ip resolves to something helps a lot. By turing on Reverse Dns lookups and not accepting mail from ip's that don't resolve. We drop about 68K messages a day.

Re:Nevermind Open Relays Old Version of Formmail

[S.Lemmon]

This is *very* common nowdays. We get hit by this too, but our version of formmail.pl isn't what it seems. It doesn't actually send any mail at all, but does log everything (including all HTTP headers) to a file. It also generates abuse complaints if an IP contacts it over 10 times (it doesn't actually mail them, but places abuse reports in a file I can check).

Usually you'll see relay "test" attempts on the script first, but if it looks like a spammer, I'll sometimes "forward" these manually. ;-)

I figure it's better a spammer send us thousands of messages to nowhere than do the same to a script that's still exploitable (and it makes for a nice weblog to send their ISP!).

Spam email - denial of service

The article notes that AT&T uses Brightmail spam filtering, and the Brightmail systems were overwhelmed by the quantity of spam mail. I've had a similar experience.

I have a Verizon DSL account and they recently added Brightmail spam filtering. All spam that Brightmail detects goes into a special "folder" - inaccessible to POP3 clients but available via their webmail interface. Nice feature, eh? You would think so. But:

The spam builds up in this folder until it grows larger than your 6MB email quota, at which time all mail to your account is returned to sender with a "server quota exceeded" error. You, as the user, never get notified. You simply stop receiving email. For those of us who never use the web mail interface, it is a confusing and frustrating problem.

My spam folder fills up once every 2-3 days, requring me to access the webmail interface and clean it out. And no, there is no way to turn this feature off. Thank god for cron jobs and wget, or I'd be forever tied to my computer... I have a cron job that hits the web site, logs in and deletes the mail for me every evening.

I've written to the Office of the President at Verizon to tell them what a stupid feature this is. Either allow us to turn off Brightmail filtering, or don't count the spam mail against our quota. One month later, no response at all from Verizion.

Re:Optionally publish valid mail servers for domai

Using DNS To Authenticate Domain SMTP Servers would Definately make spamers lives more difficult. To make it even more Effective the DNS Governing Body would also have to be on board to prevent spammers from obtaining thier own Domain Name so they can pass the requirements of DNS Authenticated SMTP Servers.

Re:Optionally publish valid mail servers for domai

[dvdeug]

Do an RDNS lookup on the IP of the server and reject it if the domain in the 'from' doesn't match.

Which, of course, drops some valid mail, like mine, which has a from: okstate.edu and IP of x8b....dhcp.okstate.edu.

Problematic for many users

[Corgha]

The downside of it is that if you have a yahoo.com address, but want to run your own smtp server to deliver your mails, then you'd fall foul of such a system. I don't think that's a biggy though - if you could run your own smtp server, you'd probably not use a yahoo.com address you'd have your own domain :).

Actually, this is a pretty big downside for many users. Every once in a while, someone proposes a similar scheme that makes it hard or impossible to "forge" From addresses. This is not exactly that, but it's close enough. The problem is that this is a perfectly legitimate and necessary use of email, and is, in fact, discussed in RFC 822.

The basic problem is that many of us wear quite a few different hats, each of which has one or more email addresses. Suppose I want to send an email using my personal address while I'm at work, or my work address while I'm at home. Suppose I need to reply to some email sent to an official address using that official address as the header From, and that I also want bounces to go to that address so that others at that address can see if my reply was not sufficient (requiring a change in the envelope From). Maybe I do run my own smtp server and domain, but I want to use my spam-trapping yahoo address to reply to yahoo mail (for privacy reasons), and I want to use mutt instead of some stupid web interface. Maybe I'm a sysadmin who wants to set up a number of forwarding addresses (perhaps official addresses for some project on some domain). Now my one-way service has to be a two-way service; instead of just editing the aliases file, I have to set up an account for each of the people who needs to send mail. These are just some of the things that I happen to do on a daily basis and that adoption of your system might make impossible or more of a pain.

Sure, a lot of times this can be solved by some sort of remote access or SMTP auth, but it would certainly be less convenient (especially because some sites are difficult to access remotely). The bigger problems are social: many of the users I know who do these sorts of things aren't the most technically-savvy; many domains are unlikely to introduce the features necessary for full remote access (so then it becomes less of an inconvenience and more of a loss of service).

The good thing about your proposal is that it's opt-in for the sender's domain (whereas most others are opt-in for the recipient's domain), and it therefore gives a domain more control over its email addresses (as opposed to less with other schemes). It allows example.com to say "we want mail from addresses in our domain sent out via only our servers." Presently, anti-relaying provisions in servers make it possible to say "we want only mail from addresses in our domain sent out via our servers." This just completes things.

I guess it depends on your perspective. As a sysadmin, I'd be happy to have the power to turn this on for my domain (though I probably wouldn't, and other domains might not use it -- look at how terrible people are with MX records). As a user, I'd be unhappy if one of my sysadmins turned it on, but happy if some of the domains spammers use and I don't use turned it on. I guess it might be sort of a "not in my backyard" issue, which might limit its adoption. Another problem might be sysadmins that block domains which don't have these records, thus taking the power away from the sender's domain again.

While I'm rambling
While I'm ramblingly replying:

When an email comes in, you check if there's a verification server for the source domain of the email, and if so try connect to it, and then submit the email address for verification. [...] I know SMTP vrfy exists, but sites often turn it off

They turn it off because it can be abused by spammers looking for valid addresses or is in some other way a privacy concern. What you propose is functionally equivalent to VRFY (except that it can run on a different server), so I doubt it would be turned on either. However, it might not be a bad thing for servers to *try* to VRFY an address, and only block if VRFY returns "no such user" (not "permission denied"). If a separate protocol and server is desirable, there is always good old finger (though it's maybe a little too free-form), but VRFY makes more sense, as the primary mail servers should know to whom they can deliver mail.

Re:Optionally publish valid mail servers for domai

[Corgha]

Just use authentication for them. Surely, it wouldn't be any harder than keeping user accounts on the intranet servers up to date. It could even use the same authentication database.

What accounts? What authentication database? Presently, the existence of a mailing address does not imply the existence of a user account. Consider forwarding-only addresses. Should all the volunteers behind bugs@opensourceproject.example.org require accounts? Maybe the sysadmin is a volunteer, too.

What about those of us who use webmail addresses as spam traps? Now we have to use crappy web interfaces to send (or those webmail companies have to set up SMTP AUTH, with which they very well may not want to bother).

...and so on, and so on...

Unidentified Internet marketer

[dreamquick]

Quote:

"According to Brightmail spokesperson Francois Lavaste, an unidentified Internet marketer overwhelmed Brightmail's filtering system with messages, slowing down all e-mail delivery."

Why not name and shame them?

If they used their own servers then you know who they are, and if they didnt (although the sheer volume means it is very unlikely they could have used an open-relay unnoticed) then trace them back and make an example of them.

They are clearly a professional operation so bad press is going to make them look really bad in front of their existing clients, and if you tried hard enough you could have great fun suing them for all they were worth...

Well, gee...

[seebs]

Maybe if AT&T disconnected some of the half-dozen active spammers on their network I keep complaining about, they'd get some sympathy.

Economics of Spam

[cyberformer]

A part of the problem is that many spammers do get their bandwidth literally for free (even though the cost of sending an individual message is low, the cost of sending a billion quickly mounts up). They send one message to an open relay, which then turns it into millions more.

Perhaps we need to educate the sysadmnins who keep relays open that the spammers are stealing their bandwidth and system resources, not just those of the people who get spammed.

Gunpowder wasn't invented in China.

You heard right: gunpowder wasn't invented in China. "Black powder" came from China, which is not exactly the same thing.

Since guns (invented in Europe -- see http://www.uselessknowledge.com/word/gun.shtml for an odd knowledge history of the term "gun") postdate these elemental explosive chemicals, it's a rather large claim to credit Chinese history with inventing something that would centuries later acquire a completely different use in another continent altogether. That would be like me claiming to have invented the pocket radio because I first detected radio waves.

Just something that's always bugged me. Arabic mathematicians invented the number zero by the way. History is full of twists...

Could certificates eventually solve this?

[Fastolfe]

Since spammers by their very nature do what they can to hide in anonymity (both to make it hard to filter repeat offenders and hard to track them down to "cancel" them), it makes me wonder if a push to fully authenticated e-mail might solve this.

I'd hate to label every piece of e-mail with a valid certificate (forcibly associating someone's words with their identity), though, but given the way things are moving, I can foresee this in the next 10-20 years.

Everybody will have a digital certificate, and every e-mail will be transparently and automatically signed with this certificate. People on the receiving end will know who's sending the message not by looking at the From: header but by examining the identity of the certificate, and users will be given the option to reject or accept messages that aren't signed (meaning the identity of the person can't be trusted). Since a high and growing percentage of this anonymous mail will be spam, eventually more and more people will start rejecting it, and spam will neatly kill itself off (at the same time killing off the ability for people to send e-mail anonymously).

It's a sad state of affairs, but it's going to be impossible in the near future to differentiate between e-mail sent from someone you don't know, and mass e-mail sent from a spammer.

Re:Could certificates eventually solve this?

If mail is "transparently and automatically" signed, the security is useless. Crypto is hard because it needs to be hard to do it right. Otherwise it will be trivial to steal others' certificates and the signatures will be useless.

Re:Could certificates eventually solve this?

[Fastolfe]

Sorry, I was making an assumption that in X years, security of hosts will reach a point where things like this can be done transparently and automatically. When you authenticate with a host (like your PC), you're authorizing the host to authenticate with your certificates on your behalf when you make use of network resources (e.g. e-mail) that you want to authenticate with.

I'm not going to try and solve the difficulties in making something like this happen today. Who knows, maybe by the time something like this happens we'll have private keys in physical cards or secured with biometric scanners. It doesn't seem out of the realm of possibility that these things will become more prevalent in the future and that it will make it easier for us to do just what I was describing.

Tracking down the harvesters too..

[Fastolfe]

I have a honeypot domain of sorts that I collect spam with. Not to analyze the spam, but to analyze how it got there. On a number of web sites I'm using a little CGI script that generates a dynamic e-mail address based on the IP of the visitor (and any forwarding-for information if it's a proxy) and the date/time. That way, when they spam the address, just by looking at the address I can tell how it was harvested and when.

I don't know if ISP's ever do anything with these types of complaints, though, so I don't know if this will ever be fruitful, but it's enough to satisfy curiosity..

Urgent need!

Dear Mr. Silas,

I am in urgent need of your assistance. Based on your /. post, I feel I can trust you with a proposition that is not fully legal but that you will find to be potentially advantageous. My name is Mbutu Rasavi. I am the son of the under-secretary of human disposal in Nigeria. Due to political instability in my country, my family and I will soon be forced to leave. We have $47,563,083 in discreet funds that we must quickly transfer to a foreign account. If you would be willing to proxy this transaction through your own account, we will reward you with 10% of the funds.

You are my only hope.

If you are interested in this proposition, please save time by putting $10,000 in a brown paper bag, along with your own severed head, and ship it to the following address:

1337 Llama Dr.
IKantBLevHowDumbPplR, Nigeria

Hurry.

-Mbutu

The first thing to be done...

[cerberusti]

is to extend SMTP to include the ability to require a username/password to send mail. I realize this would not solve all problems but, it is a better solution than the current kludge most people use (requiring a POP3 login first). It will take a while to become supported, but then again, it is a good first step.

Re:The first thing to be done...

[SuiteSisterMary]

This has existed for years. Just so you know.

Not true in the state of Washington

[jhylkema]

We actually have a very strong antispam law here. All you have to prove is either the subject line is misleading, another's domain name was used without their permission, or the point of origin/transmission path is forged. Basically, this covers about 99% of spam. Individual consumers can sue the spammers for $500 per message, an "interactive computer service" can sue for $1,000 per message. I have one case pending now and several more in the pipeline.

Check your facts before you run off at the mouth. No, wait, this is /. . . .

Spam Free Email, Guaranteed

[GooRoo]

Opt-In email. Rather than blindly accepting every message that comes in, why not deny every message that comes in - except for those on a specific accepted senders list?

Of course there's several issues with this...

How do you know someone you want to talk to is sending you an email?

You could setup the server to accept the first message from a particular sender and then ask the user if they want to see messages from this person ever again, by domain or by specific email address.

How do you easily delete all messages from a particular user/subject etc.?

This would easily be accomplished by using a sql based storage system on the backend. It would be trivial to delete all messages from a particular email/ip/etc when everything is a quick sql statement. Additionally it would make for easy load balancing if the config was on the sql box and the front end servers could deal with the setup/teardown of smtp/pop/http sessions.

What happens when the spammers realize this and start to search to find accepted senders?

The server could easily be setup to deny all email from a particular domain/ip when a percentage of all emails are rejected or when it's viewed as sending too many messages at once. Send 100 emails and 25 are rejected? You're on the ban list. Send 10 messages in a row that are all bad? You're on the ban list. The ban list could be stored via sql as well so that front end servers could all instantly be notified of bans acrossed server farms.

I've suggested to several different people this way to make email 100% spam free, but noone has seemed to like the idea so far, so what does the slashdot crew think? Is it time to setup a project on sourceforge? Or does someone know of a server that does this already?

WhiteList Strategy?

Blocking spam is almost futile. Spam is always changing, and new spam is always being created.

Traditionally e-mail has been a open system, and we try to solve the spam problem by black-listing spam. However, because it doesn't look like open-relays will be going away anytime soon, the only way we can effective make spam a dead-end is to use a white-list strategy.

An alternative to Vipul's Razor trying to Block spam is TMDA.

Implicitly all "good" emails are reply-able to, and once they confirm themselves, they can be on your whitelist and will be able to send email to you from that point forward. While it is a bad thing (tm) to close the openess of email (the true nature of the Internet is the free flow of information), this may be the only way to effectively stop spam from being a viable means for spammers to get their messages out. Only by making it totally worthless will spammers ever stop.

Not a bad idea, but....

[Arker]

First we've gotta get Cox to reveal his identity...

Contact the Payment Provider

[RJR]

Block, Ignore, Delete. Net effect: Nothing - The spammer still spams.

Most effective is drilling down to their "payment provider" including the full headers of the spam and mentioning that the payment provider, aka credit card processor has an anti-spam policy.

Dozens of spammers were left with a product to sell, but no way for anyone to purchase the product.

SpamCop was an excellent tool to provide a complete history of the "chain of evidence."

Do not try this with SpamCop unless you want to be banned from reporting, as was I for "altering" the spam even though there is no FAQ regarding this and the SpamCop Deputies continue to encourage users to alter the spam when SpamCop chokes on fake HTML headers and ones name is embedded in the spam.

I received a single warning eMail and upon questioning the policy, instant ban with no explanation via email or the ng.

For now, I hit delete and adopt the attitude of SpamCop "filters" which simply hide it from view.

Bob

Re:thank you

>I am going to post all these addresses to a few newsgroups like alt.sex for the spambots to pick up.

That is when you're not too busy surfing for kiddie porn, eh, Nazi pig?

Law Enforcement?!

[Snover]

Unfortunately, the government has routinely stalled on bills trying to crack down on internet SPAM. Much like the wiretapping act, the telemarketing bill passed in the eighties to stop unsolicited faxes was not expanded into the Internet. I'd be extremely happy to see any kind of anti-spam bill being passed into law, but I've yet to see one.
However, there are a few guidelines to avoid 99% of all spam:

1. Don't use your ISP-provided email address. ISPs nearly always sell their email address list to email collectors to make extra money.
2. Never get a free email address.
3. Never use an un-spamproofed email address when registering a domain name. (There are some sadistic harvesters that crawl WHOIS registries for email addresses.)
4. For high-spam zones, use a spamcop email address (if there is an offchance you'll get any good/positive/important messages, like in a Usenet group). [This was more cost-effective when you could purchase by the megabyte instead of having a flat-rate as all new registrees get.]
5. Similarily, send any spam immediately to Spamcop.
6. Use a different email address for each automated registration form. If you can't use a fake email address (this inability is becoming more and more commonplace on message boards), be EXTREMELY certain that you want to sign up for whatever service this is.
7. Never ever EVER use Bravenet. Even when you stop your service and put your email address in their unsubscribe form, you STILL aren't unsubscribed.
8. Similarily, never ever EVER use CrushLink. Not only is the entire concept stupid, you will be spammed into the ground.

There are some other things you can do, but these are just a few good ideas. (One thing that works terribly well to eliminate telemarketers is to have a phone line activated but not have it connected to a telephone for a few months. As different telemarketing offices call the number and don't get an answer, you are weeded out of the system. This handly little bit thanks to a data line which we later started using as a voice line when DSL became available.)

Wouldn't it make sense....

[kaladorn]

To try something like a server-side permitted originator list? That way the downstream bandwidth from the SMTP destination to the client wouldn't be burnt up and the SMTP server could return errors to someone trying to send to a destination which had not authorized them.

Yes, this would put some sort of list of who your friends are server-side. A bit of a privacy issue I'd guess (not that having all your e-mail readable might not put that to shame!).

It might also take a bit more work on behalf of the SMTP server, but I don't think this would be a crippling level of work.

Of course, the _other_ option is locating spammers and dropping 1000 lb. LGBs on their locations. That'd fix their wagons....

... and it would redefine the term "mail-bombing"....

MTA who removes spam automatically

[a_n_d_e_r_s]

I would like to have an MTA that checks every email server the first time and every 1000 times that it sends a relayed email to see if the other MTA is an open relay and complain to the others abuse email-adress directly and refuse to receive email from them until they fix their server.

If that was part of sendmail it should automagically fix many open relays...

Opt-in list for spammers

[Eric+Damron]

We really need to work with our ISPs for an "Opt-In" delivery system. That is, everyone would have a list of people from which they are willing to accept mail. That mail goes through directly. Any mail coming from someone not on the list is held and an e-form is emailed back to the sender. The sender then must "fill out" the request to be put on the user's mail acceptance list. The form should be made in such a way that an automated response would not be possible. Since most spammers don't include valid return email addresses they will never get the e-forms and the spam, after being held for a period, could be dumped into a bit bucket.

It needs to hit the client not the server...

[Kjella]

I admit it's a thought work in progress (and no, I've never managed a system running anywhere near 500.000 mails/day), but the idea was to make it cost something for the sender, not killing the ISPs server delivering it. Of course there's the problem that on the internet, everybody's a server.

Maybe the mail server should start acting like a proxy instead of a relay, how would that work? Instead of Sender -> Local mail server, Local mail server -> Remote mail server, it'd go directly Sender -> Local -> Remote. The cost would be lack of redundancy if the remote server doesn't respond, the local server won't take the responsibility of trying later. There's still a point of going through the local server though, of course to get verification that the email address really belongs to you. With a running connection the feedback link is established and the client can do the factoring, not the server. Likewise any webinterface (yahoo etc.) could offload it to the client through a java applet or similar.

Of course the message itself can be cached on the server as usual, so it won't matter what speed the connection is, as long as the factoring noumbers get transfered properly. Perhaps having the server do the factoring as a "back-up" solution in case of temporary connection failure would work. It'd work with a few remote sites being offline, on the other hand if the connection to the outside goes down and the mail server gets filled, there's trouble in paradise...

I haven't got any idea how much real mail servers do "behind the lines". How often can't it connect at all? How realistic is it really to replace the mail server with something that would be practicly an IM to the remote mail server) + caching proxy? Damned if I know, I just know my bandwidth is being stolen by people sending me advertisements I pay for. And I'm tired of it.

Kjella

Re:Optionally publish valid mail servers for domai

[DickBreath]

Okay, how about the reverse. Do a DNS lookup on the name of the originating mail domain. See if the looked up IP matches the sending mail server, or the recorded IP of a mailserver in an earlier Received By header, or the MX record of any such mahcine.

20% increase in email kills AT&T?

[AnotherBlackHat]

Is it just me, or does anyone else wonder about a company like AT&T having massive problems because of a few spammers? Isn't it a little more likely that somebody screwed up the mail routers and they blamed it on spam? I wouldn't expect them make a press release saying "we fucked up email, sorry.".

-- I saw it on the internet, it must be true.

Brightmail.....

It looks like ATT needs a few more Brightmail servers. At least that way it could handle all the traffic from the MTA validators (Intermail MX).

Changing the economics without micropayments

There's a simpler solution than trying to use micropayments — change email from a push medium to a pull medium.

The way email currently works, a sender can submit a single copy of an email to a server together with a list of addresses and that server does the work of copying the email and delivering it to each of it's recipients who must then pay to store it in their inbox. This has close to zero cost for the sender.

If, instead, the message was stored on the sender's mail server and a small notification was sent to the recipient(s), the recipient is no longer forced to pay the cost of storing the email. Instead of paying your ISP for a 10Mb inbox, you'd be paying them for a 10Mb outbox

With the cost of sending emails shifted back onto the sender, the economics of spamming no longer works. You can even include some sort of credentials in the notification (OpenPGP signature, unique token you generate each time you give out your address, single-line description of the message) so that the recipient can make an informed decision on whether to actually download it or not.

Re:Optionally publish valid mail servers for domai

[sjames]

The context was corperate users on the road with laptops. That implies some sort of user account on the intranet.

In other cases, there is a simple Free software. Look into the cyrus with SASL. It integrates with sendmail, and provides IMAP services. The SASL feature allows it to have a seperate user database so that a login need not be provided.

What about those of us who use webmail addresses as spam traps? Now we have to use crappy web interfaces to send (or those webmail companies have to set up SMTP AUTH, with which they very well may not want to bother).

They can either set up SMTP AUTH (no problem), or they can stay as they are (O.K. for you) and risk becoming a spam relay. Once abused sufficiently, they will either get AUTH, shut down, or be blocked so widely that it's useless for you anyway.

How about Universities

[hendridm]

I know I could probably set something like this up on our network and nobody would say a word.

An easy (partial) solution....

[NerveGas]

>much of it these days is originating from Asia

Yes, a great deal of it does come from Asia. And I, for one, don't get any legitimate email from Asia - so I simply deny all incoming SMTP connections from APNIC's IP ranges. That alone does wonders for the amount of spam that I received...

steve

Re:Optionally publish valid mail servers for domai

[ahodgson]

SMTP AUTH. Anyone with a POP-3 account can be authenticated to send via SMTP with the same account information, without allowing others to relay.

Though with the number of ISP's blocking outbound port 25, you might also need your server to listen to a different port.

Re:Optionally publish valid mail servers for domai

[Corgha]

The context was corperate users on the road with laptops.

But the broader context is about changing the way that email works for everyone. There are lots of suggestions that might work for a small subset of users, but fail to satisfy the breadth of needs fulfilled by our current email system.

The SASL feature allows it to have a seperate user database so that a login need not be provided.

Shell accounts are not the point (by "login" I assume you mean shell, since any provision of a username and password is "logging in"). Forwarding addresses now are just entries in the aliases map, without any sort of account at all. (And, before you say it, no server need be an open relay). Now you're asking the sysadmin to maintain a set of SMTP accounts with usernames and passwords, and probably to write a password-changing mechanism (the sysadmin running "saslpasswd" is not acceptable). One might also need a mechanism for locking accounts after a certain number of failed login and presenting the last successful and last failed login attempt to the user. The point is, authentication can be complicated, and "just give them all accounts" can be quite a hefty proposition.

They can either set up SMTP AUTH (no problem), or they can stay as they are (O.K. for you) and risk becoming a spam relay.

OR, as things stand now, without the valid servers published for each domain, users can use their ISP's mail servers. There's nothing that indicates that the webmail companies need to be open relays or that they are now. My point is that they are unlikely to bother setting up SMTP AUTH or to become an open relay, so users who want to send mail as their webmail addresses will be forced to use the web interface.

The other problem with all of this is that every mail client would need to be re-written to make the outgoing SMTP server dependent on the From address. Talk about a user support nightmare...

The real question is: would this stop spam? Much of the spam I get comes from open relays and have faked From addreses (and refers me to a web site or telephone number). What's to stop someone from using as the From? (Remember that if example.com is running an open relay, they can't be relied upon to do anything responsible or not to do anything irresponsible.) The rest of it comes with a "From" on some fly-by-night domain that can set its DNS records however it likes. Some of it sets both the "From" and recipient addresses to my address (and it seems that could be blocked in other ways without a significant change in behavior).

There is some portion that uses a "From" of yahoo.com or hotmail.com, but given all the pain through which this proposal would put non-spamming users and that the spammers would quickly adapt, I'm not sure that it's worth it to block this particular avenue of spamming.

AT&T? Who's next to complain - Spamford?

[adamsc]

AT&T is griping about spam? This is the same company which has a ticket-closing bot answering abuse@attglobal.net (and prserv.net), which is suspected of having a number of spam-friendly contracts.

Cleaning up the AT&T house would get rid of more than 20% of of the spam *I* receive.

Re:Optionally publish valid mail servers for domai

[sjames]

I think I see the confusion now! I was talking about measures to restrict people from originating mail with a fake from address. You're talking about recieving mail.

The case of a simple mail forwarder is no problem. The final recieving MTA would be able to see that the From address and the originating server match and that the relaying server is a designated mail server in it's domain. Meanwhile, the relay server will presumably have performed similar checks.

None of this will necessarily kill spam, a willing ISP can set up whatever they want in their DNS just as you said. It WILL prevent abuses of innocent ISPs (as originators of spam). With that accomplished, spam servers can be blackholed with confidence and certainty without ISPs having to block outgoing connections to outside SMTP servers.

Re:The first thing to be done...BTDT

Authenticated SMTP is old hat. However,
the current direction of IETF is away from
passwords and towards authentication mechanisms
that are more secure.

Re:20% increase in email kills AT&T? - Poetic

I believe them - but have no sympathy. AT&T is a
spam supporter, so ity is only fair that they get
a does of their own medicine.

Spam Slows AT&T Email ;-)

Are we supposed to feel sympathy for a company that itslef condones spam? It couldn't have happened to a nicer company, except perhaps cn.net, kornet, PSI, SprintPink, Telstra or UUnet.

This even handed justice that commends
The poison chalice that we have prepared
to our own lips.

No, Korean Spam is the *Best*!

[billstewart]

You've got it backwards - there are mail packages such as Spam Bouncer that let you filter based on character set - if you never want to receive email in Korean, Chinese, or Russian, you can discard it all based on character-set headers. If you never want to receive email from Korea, you can even block that too. (That's a bit less reliable, because it's possible that there's someone in Korea you'd want to talk to, but you could probably set an autoresponder rule that tells Koreans that you're blocking email from there due to heavy spam levels, so they should use a non-Korean email system such as Hotmail/Yahoo/etc. to send you mail.)

Going E-Postal?

[Dark+Coder]

Why not enforce a 0.0001% tax on all outbound email, much like any country's postal system?

And have the U.S. Postal enforce the port 25 usage/filtering and collect the money for all US-bound email receiptent? Block all email until SPAMMER (and legitimate) emailers open an account with the G O V E R N M E N T.

No more Free-SPAM.

Oh, the pain of having a libertarian/republican complex.

whitelisting fixes mailing-list hashcash problems

[billstewart]

Mailing lists are the obvious place where hashcash fails, because as you say, a large real mailing list has the same scaling problems that a large spammer list has. The way to fix that is for hashcash mail systems to use whitelists - if you know the sender isn't a spammer, accept mail from them without hashcash. Of course, that just encourages spammers to join mailing lists and then spam them.

Legislation doesn't work, has bad effects

[billstewart]

California has a law saying that senders of bulk advertising email must include a subject line of "ADV:", or "ADV: ADLT" for porn spam. I've probably received half a dozen messages since they passed that law which were marked that way - it's much more effective to block emails with "Viagra" in the subject. The proposed Senate Bill 1618 was much more effective, even though it didn't pass, because spammers started using trailers about "According to Senate Bill S.1618, this isn't spam", and it was easy to filter out any messages containing that pattern.

Spam laws won't work until they can be applied effectively everywhere in the world; not a chance. Meanwhile, some of the proposed laws have had significant anti-privacy terms - banning anonymous email, banning mail services that don't insist on getting your personal identification. Here in the US, we've got a First Amendment, and most of the anti-spam laws are much better at trying to weaken it than at actually blocking spam.

I have no spam problem

[spike+hay]

I never ever give out my email address to any website or company. I have a spam hotmail account for when I have to give an email address.
But I use a charter.net email address as my primary account for everything else. I have never gotten any spam.

Everybody's a sysadmin these days, esp. Linuxusers

[billstewart]

Sysadmins used to be a small community of people who were either running an organization's expensive computer system, and therefore could afford training and learning time, or people who'd built up systems (like the BBS scene) that achieved enough popularity that they often had to learn things the hard way. But that's a long, long time ago in a galaxy far far away. Everybody who's got a Linux system is a sysadmin. Everybody who runs a shared gaming systems is a sysadmin. Anybody who runs an application program that can provide services is a sysadmin. You can't expect millions of people to get sysadmin clues the way you could expect a few thousand of us to.

So what's the alternative? It's to make sure, as often as possible, to build applications programs that have security tools, and to make them as secure as possible by default. We need to try to anticipate problems that will affect lots of people beyond the intended users.

Economics will be hard to fix, because the whole Moore's Law effect driving our industry is that computation and communications keep becoming radically cheaper, and email has been really cheap for a long time. What we have to do is find ways to use those economics for spam prevention - as pattern recognition becomes easier, it's more usable for tracking down spammers, and you can make it *much* easier by techniques like seeding your websites with bogus email addresses you can use to trigger defensive responses, track down spammers, and get ISPs to block abusers. It's also important to use our communications abilities to coordinate spam detection and blocking - the RBL and its relatives are a beginning for this kind of process. Teergruben are another approach, especially if they can be coordinated. But it's also important to make sure that anti-spam tools aren't easily abused as Distributed Denial Of Service attacks (e.g. forging spam leading to mailbombing or long-term blockading of the forgee), which is amazingly easy (e.g. suppose you reply to a spammer's "remove me" address with a thousand emails of "From: bogusaddress1@bogus.net\nSubject: Unsubscribe\n\nbegin 666 vmunix\n...."

Mixing Teergrube with RBL, Seeding, DNS

[billstewart]

One way to run a teergrube system is to use a machine that doesn't have any real email users, and to seed your web sites with a bunch of email addresses on that machine. It's a nice thing to do with a cable modem or DSL server if you're not actually receiving email there. Many of the popular spamwares work by spidering the web to harvest fresh addresses of victims (though that's partly because they're competing against the people selling lists of 19 billion valid email addresses, but those losers get many of their lists by harvesting as well.)

An entertaining way to use Teergruben would be to set your DNS server to respond to requests from RBL locations with random teergrube servers. Handout them an MX record for some machine they really don't want to talk to...

If you've got a number of people running teergruben, you can share bogus addresses on each others' domains, you can spread around the damage so that the spammers end up stuck on lots of teergruben at once.

One reason for Korean Spam - Cable Modems

[billstewart]

I'm just speculating here, but one reason there's so much spam from Korea is that it's a high-tech country, but another reason is that there are a few million people with cable modems. If they're running software that's got open relay capability, there's a lot of potential spam that can be forwarded. Another reason, of course, is that Korean is a tough, bizarre language that doesn't use a Roman alphabet and isn't close enough to anything else for most non-Koreans to be good at writing useful complaints to administrators....

How Ironic.

[NFW]

Go to www.marketing-2000.net
Guess what business THEY are in?

nslookup www.marketing-2000.net:
12.160.137.140

whois 12.160.137.140@whois.arin.net:
AT&T ITS (NET-ATT) ATT 12.0.0.0 - 12.255.255.255

And yes, AT&T is aware of this. Have been for some time now. They seem not to care.