Slashdot Mirror
Spam Slows AT&T Email
jonerik writes: "MSNBC has this article about AT&T's frustration with the increasing quantity and sophistication of spam traffic. As has been noted here already, much of it these days is originating from Asia and, according to the article, 'now represents 20 percent of all e-mail floating around the Internet.'"
Most of it originates in the USA! And you don't know how annoying it is getting spam for USA paraphenalia, gas masks etc when you are not USian!
The War on Spam must be fought on several fronts, not just one. These evildoers can be defeated by striking them in American courts and fixing the open-relay problem in Asia.
The owls are not what they seem
Steps in curing email spam
1. Close all open relays. That way the route of email is from your ISP to their ISP. [well at least as far as SMTP is concerned]
2. Use a HashCash like system.
3. Actively deny connection from IPs that try to connect more than N times in L seconds.
Duh...
Someday, I'll have a real sig.
The only reason that spam is a problem is because everyone has access to email you at your email address. It's the same problem with your phone. Anyone can punch in your number from their phone and dail you directly.
Your P.O box, however, can only be given mail from the actual Post Office. (I'm making an open-relay analogy) Nobody can walk in from the street and legally place mail into your mailbox. Although using a Post Office type deliverer for mail won't filter any spam, it will keep messages that are sent from outside the "post office" deliverer.
So, we need to decide that email doesn't work for private internet messages and come up with a different tool for getting personal messages online, otherwise we will continue to get spam.
I really hate Dan Patrick.
This ongoing 'war on spam' will only really be dealt with when two things happen:
1 Sysadmins living in a 'clue fee zone' must be wised up. This means, amoung other things, more education for sysadmins, better products and documentation, better or more translations of documentation, etc. It should be easy to obtain documentation in your local language. Every HOWTO has to have an accurate, up to date translation readily available. As should documentation for proprietory products.
I don't like viruses nor encourage illegal break-and-enter of another person's computer, but a 'whitehat' virus that shuts down the relay component of an email server would be damn handy.
2 The economics of SPAM must be altered, literally turned on their head. It costs to receive bandwidth, but (generally) little, or none at all. (The obvious exception is when you have a bandwidth intensive site that requires nice fat outward pipes). It costs so little to send, just electricity, enough money for a bulk sender (off the shelf or home brewed) and a net connection. Pay the real cost of outgoing mail and watch the volume of spam decrease to an approximation of zero.
Don't know how this last one will be achieved except via a totally new version of 'the net' (or at least a new set of RFC's).
Q:I was listening to a CD in Grip and it sounded horrible! What's up? A:Perhaps you are listening to country music
One good thing to keep in mind is that the more recent default configurations of mailer packages are configured to deny relaying. So as mail servers get updated, reloaded and replaced, the problem of open relays will become much smaller. And the clueless sysadmins will have to learn more about their systems in order to turn that function back on. Hopefully they will have had a good speaking to regarding their decision by then, too.
Intelligent Life on Earth
I've seen code to trap the spiders the spammers use and fill up their databases with crap. What I haven't seen is a honeypot designed just for spammers - a box that *looks* like an open relay, but not only doesn't forward the spam messages, it logs and possibly automagically retailiates against the originator. The anti-spam groups have had good luck attracting spam with email addresses set aside for that purpose, but we need to take it to the next level and have some anti-spam servers. Maybe just a simple bot to start listening on port 25 and responding like known weak versions of sendmail when accessed would do. Any of the mighty code ghods here at /. want to see what they can come up with?
You're just jealous 'cuz the voices talk to *me*
The other possibility is a net-block equivalent of ORBS. Some on the Sec-Focus Incidents list (and other fora, over the years) have bounced around the idea of blocking netoblocks who'#s POCs don't work, or who don't have or respond to mail to the RFC-mandated abuse@, security@, hostmaster@,.. standard mail accounts. I'm all in favour. Automate probes, the way ORBS did for anonymous relays. I think this would be a Good Thing. People do have a legitimate need to communicate between Asia, America and Europe: simply dropping everything from .kr is evil and wrong, IMHO.
Finally - y'all know that anonymous HTTP proxies are just as bad, if not worse, than traditional open mail relays? Just testing ;)
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
I often get email where the from domain claims to be yahoo.com, but it was sent via an as-yet un-rbl'd server. As it stands your smtp server will accept a mail from anywhere not in a block list, with no checking on whether the server sending you the mail is a legitimate server for that email's claimed from address.
:).
In the same way that RBLs are published via DNS records, it could be useful to have a scheme whereby for your email domain you can advertise (via dns) what hosts are authorised to send email for that domain.
So a mail comes in from a yahoo.com address, you do a dns lookup on the incoming connections ip address appended to validservers.yahoo.com or whatever the convention decided upon is, and the result would tell you if it's valid. You'd also need a way to check that yahoo.com is actually advertising the valid mail servers (and if it isn't, you failsafe and accept the mail).
This scheme wouldn't be compulsory, and would probably be suited mainly to free email providers, large corporates. The downside of it is that if you have a yahoo.com address, but want to run your own smtp server to deliver your mails, then you'd fall foul of such a system. I don't think that's a biggy though - if you could run your own smtp server, you'd probably not use a yahoo.com address you'd have your own domain
While I'm rambling, another system which could be done is a protocol for verifying email addresses (you could also do this via dns too, I guess, but dns is getting cluttered enough as it is). For a given email domain it has an entry (in dns) for an email address verification server. When an email comes in, you check if there's a verification server for the source domain of the email, and if so try connect to it, and then submit the email address for verification. Depending on whether it says yay or nay, you accept or reject the mail. If they're not running a verification service, you just failsafe. I know SMTP vrfy exists, but sites often turn it off, or it doesn't do anything useful as the external server is just forwarding mail, etc etc.
These systems wouldn't be so useful until they got adopted by hotmail.com, yahoo.com, eudoramail.com, aol.com etc, and I'm sure people have toyed with these ideas before and maybe there are downsides which outweight the benefits or maybe someone knows of implementations of such a thing.
The reason for the spam is because of the prepaid internet access common in asia! You buy those prepaid cards, in malls, and you are totally anonymous if you buy in cash. As discussed here, the spam therefore come from asia, but the content of the spam is from the US.
--- BEGIN PARANOID RANT ---
So I guess since they know what 20% of Internet e-mail traffic is... they must be monitoring 100% of it... Hey AT&T, can you give us a pie chart that categorizes all e-mail sent throughout the Internet...? I'd like to see the data points; and even more interestingly, how you got them.
--- END PARANOID RANT ---
If ISP can't play nice, drop their address blocks. (Dropping all of China wouldn't be much loss right now.) The trick is to block all an ISPs blocks, not just the spammer's IP. Spam friendly ISPs routinely shift the IP address. When their legit customers start leaving they'll wise up.
It gives me the warms fuzzys when some spam friendly ISP posts to news.admin.net-abuse.email, and asks pretty-please to be taken of the blocklists. (Then someone points out that they got spam from them in the last couple of days, and to take a flying leap.
One line blog. I hear that they're called Twitters now.
I agree with the other posters who note that the economics of Spamming need to be reversed in order to stop it, but I think that, even before that, public opinion needs to be swayed such that it is perceived as a significant problem worth addressing all over the place, not just at one ISP or for one open relay. A lot of people have just gotten used to ignoring/deleting 5, 20, 100 spam messages per day. "It's just part of using the Internet, right?" This needs to change. When things like the AT&T congestion happen, they should be used to get the public a little more outraged.
I get 15 spam emails from .tw domains (not the fake addies, but the real origin) or chinese domains, on my old but still working mailaddy, DAILY, and that are slow days, sometimes I have more. They are for 100% useless to me, since I can't read/understand mandarin, nor am I living near the stores spamming me to pick up goodies they wanna sell me. If there is ONE thing I want to do is to shut out .tw domains from emailservers.
Never underestimate the relief of true separation of Religion and State.
This is a great example of the Free Market at work!
So is the trafficking of stolen car parts. But it doesn't make it right, ethical, moral, or legal. No, spam is a great example of theft at work. The spammers are taking bandwidth and e-mail storage that they don't pay for. They are inconveniencing Internet users while costing them more money (it's Internet users everywhere that bear the cost of spam traffic, storage, filtering, and response).
This is a fantastic example of where we need more, not less, government regulation and laws. We need laws that moke people criminally and civilly liable if they send spam or pay to have others send it. We need laws that indemnify ISPs and blacklists from lawsuit for blocking spam e-mail.
If allowing some bunch of amoral assholes to interfere with the delivery of e-mail to millions of users is your idea of how the free market should work, then I cannot imagine a better argument against a free market.
As the wired article points out, email itself is under attack here. Yesterday, I got a stupid snail mail advert from Earthlink with much the same stuff in it as I'm reading here. While promissing "raw unfiltered internet" they also claimed to be blocking more "spam"(70%) than other ISPs, AOL (40%), MSN(40%), ATT(40%). As you can see, spam is a marketing tool. Should we be supprised when compainies with the morals of M$ abuse open relays to send messages like "fck me like a slut"? Would it be supprising if a large country trying to halt communications between it's people and other countries also abused email? The abusers all have the same goal, to destroy email. The more you block, the happier they are.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
...and I still don't see why it won't work. Have something that'll keep my machine occupied say, five seconds per mail, which could possibly be fifty for the slowest ones out there, but hardly a crisis for a mail to someone you've never sent mail to before. However a spammer is usually sending multi-recipient messages, and in massive amounts. Thousands times a couple of seconds at full load = high electricity bill, machine costs (need a fast machine, not a P75 spitting out mails) and much slower.
Also, include the following: Address verification *after* factoring. So people scanning will have to factor on every attempt (and people who made a typo will also factor once for no result, but they do it once, not a hundred times).
Naturally, you should be able to add a group of trusted addresses and domains that don't need to do this. Also, mailing-lists and similar should have the possibility to request this. This would not be a regular mail and so can't contain spam. It'll only contain the who and what, no body. "subscribe@somewhere.com requests authorization to send you 'Somewhere.com newsletter'". If authorization is granted, your server would get back to the originating server and tell it's ok. This would be the normal opt-in message you recieve today, only now put into a system.
As the factoring should occur upon delivery of the mail, it'd have to reside serverside, so I guess there would be some privacy issues about the server knowing who you trust, but I don't see that as a big problem.
Techincally, it shouldn't be any problem:
Server: 2x pseudoprime generation, multiply, send.
Client: Factoring algorithm, return.
Server: Verify through division or comparison with original.
The problem? As long as spammers can just fall back to the old protocol, it doesn't improve anything. But if it starts somewhere, others might catch on, and in the end people might just fish out non-spam messages out of their conventional mails, encouraging them too to use the new system, and in the end just block conventional email altogether. It's a long term solution, but the end result is a lot more promising than most other suggestions I hear.
Kjella
Live today, because you never know what tomorrow brings
you can do this already. Do an RDNS lookup on the IP of the server and reject it if the domain in the 'from' doesn't match.
Fsck the millennium, we want it now.
Millennium Crisis Line: 0890 900 2000 [calls cost 50p/min]
I am very careful with email addresses - though obviously not careful enough :-) ;-) }
This week I recieved my first ever unsolicited email from my own country - a real world business {thats choiceco@aol.com , choicewatford@aol.com and info@choiceofficefurniture.com for any spambots reading!! Fight fire with fire
As far as the spam from US people using open relays in asia, sure shut them out/down - unfortunately the spammers wont give up quite as easily as that, i'm sure they will find some other way to send their crap.
no sig.
Do you seriously think that spam is coming from ancient linux distributions?
No way... It's come from brand new machines with dual processors and half a gig of ram that are ready to process a LOT of email.
These people aren't being exploited with open relays... Some are but most aren't. They're being paid to place open relays out there.
What do they care, American businesses want to pay them to spam Americans. Many of them don't even like Americans anyway.
Asian ISPs don't care or we would have heard from them by now.
Blacklisting Asia is not such a bad idea. The biggest problem with blacklisting asia is all the people that won't unblacklist them if they get their problem fixed.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Kornet.net (the biggest offender)
abuse@kornet.net, ip@ns.kornet.net, ip@ns.kornet21.net, domain@NS.KORNET.NET, donghk@soback.kornet.net, ever@kt.co.kr, jeonnam3@soback.kornet.net, jeon@kornet.net, jeonbuk3@kornet.net, koreatelecom@KORNET.NET, gfd5246@soback.kornet.net, gspark@kornet.net, help@KORNET.NET, helpdesk@KORNET.NET, haewha1@soback.kornet.net, heyeunmi@kornet.net, kmhno1@soback.kornet.net, hopewon3@soback.kornet.net, kgromc@soback.kornet21.net, kmhno1@soback.kornet.net, legal@KORNET.NET, network@kornet.net, packet@soback.kornet.net, postmaster@kornet.net, postmaster@soback.kornet.net, postmaster@ns.kornet.net, postmaster@soback.kornet.net, pusanpub@soback.kornet.net, root@soback.kornet.net, root@kt.co.kr, service@kornet.net, support@kornet.net, system@kornet.net, yjjeon61@kornet.net, abuse@ns.kornet21.net, domain@ns.kornet21.net, network@ns.kornet21.net, postmaster@ns.kornet21.net, resume@kornet.net, root@ns.kornet21.net, service@ns.kornet21.net, support@ns.kornet21.net, system@ns.kornet21.net, wong@kornet.net, abuse@ASADAL.NET, postmaster@ASADAL.NET,
Itnsoft.com (the #1 spamvertised Korean domain)
abuse@itnsoft.com, help@itnsoft.com, ip@ns.kornet.net, hostmaster@nic.or.kr, marom@itnsoft.com, postmaster@itnsoft.com, root@itnsoft.com, eglee@yesnic.com, info@yesnic.com, hostmaster@yesnic.com, postmaster@yesnic.com, eglee@whois.co.kr, postmaster@whois.co.kr, whois@whois.co.kr, brkim@INWANG.NOWCOM.CO.KR, domain@NOWNURI.NET, busisik@nownuri.net, kbr@nownuri.net, memory@nownuri.net, abuse@nownuri.net, postmaster@nownuri.net,
DreamX.net (Korean porn spam, mostly)
abuse@dreamx.net, abuse@cjdream.net, abuse@todream.net, admin@dreamx.net, admin@cjdream.net, administration@dreamx.net, administration@cjdream.net, billing@DREAMX.NET, billing@cjdream.net, brkim@cjdream.com, dns@dreamx.net, dns@cjdream.net, dnsadmin@dreamx.net, dnsadmin@cjdream.net, domain@DREAMX.NET, domain@todream.net, domains@DREAMX.NET, domain@todream.net, feedback@DREAMX.NET, feedback@cjdream.net, help@DREAMX.NET, help@cjdream.net, helpdesk@DREAMX.NET, helpdesk@cjdream.net, hostmaster@dreamx.net, hostmaster@cjdream.net, inhanna@cjdream.net, info@dreamx.net, info@cjdream.net, jyan@dreamx.net, jyan@cjdream.net, ley319@dreamx.net, loveabuse@dreamx.net, loveabuse@cjdream.net, mail@dreamx.net, mail@cjdream.net, mgr@cjdream.com, news@dreamx.net, news@cjdream.net, newsabuse@dreamx.net, newsabuse@cjdream.net, postmaster@dreamx.net, postmaster@todream.net, raven3@dreamx.net, raven3@empal.com, root@dreamx.net, root@cjdream.net, soip@cjdream.com, sales@dreamx.net, sales@cjdream.net, sbkim091@dreamx.net, sbkim091@cjdream.net, service@DREAMX.NET, service@cjdream.net, solhan@cjdream.net, spam@DREAMX.NET, spam@cjdream.net, support@cjdream.net, support@dreamx.net, sysop@DREAMX.NET, sysop@cjdream.net, sysop@todream.net, tech@dreamx.net, tech@cjdream.net, technical@dreamx.net, technical@cjdream.net, technicalsupport@dreamx.net, technicalsupport@cjdream.net, system@cjdream.net, system@dreamx.net, sysop@todream.net, ykshin@cjdream.net, ykshin@dreamx.net, eglee@yesnic.com, info@yesnic.com, hostmaster@yesnic.com, eglee@whois.co.kr, brkim@INWANG.NOWCOM.CO.KR, domain@NOWNURI.NET, kbr@nownuri.net, memory@nownuri.net, busisik@nownuri.net, abuse@nownuri.net, postmaster@nownuri.net, inhanna@sysone.co.kr,
Thrunet.com
abuse@thrunet.com, abuse@korea.com, admin@thrunet.com, admin@korea.com, administration@thrunet.com, dns@thrunet.com, dns@korea.com, dnsadmin@thrunet.com, domain@thrunet.com, feedback@thrunet.com, feedback@korea.com, help@thrunet.com, helpdesk@thrunet.com, hostmaster@thrunet.com, mail@thrunet.com, mail@korea.com, news@thrunet.com, news@korea.com, newsabuse@thrunet.com, postmaster@thrunet.com, postmaster@korea.com, root@thrunet.com, service@thrunet.com, support@thrunet.com, sysop@thrunet.com, tech@thrunet.com, tech@korea.com, technical@thrunet.com, technical@korea.com, technicalsupport@thrunet.com, youngkim@thrunet.com, youngkim@korea.com, hostmaster@nic.or.kr,
hananet.net
abuse@hananet.net, bluelinux@hananet.net, domain@hananet.net, domains@hananet.net, feedback@hananet.net, help@hananet.net, helpdesk@hananet.net, info@hananet.net, hostmaster@hananet.net, lee@hananet.net, linux@hananet.net, news@hananet.net, postmaster@hananet.net, root@hananet.net, service@hananet.net, spam@hananet.net, support@hananet.net, system@hananet.net, sysop@hananet.net, tech@hananet.net, technical@hananet.net, webmaster@hananet.net, WooJooLee@hananet.net, WJLee@hananet.net, ysjeon7@hananet.net, bspark@kci.co.kr, bluelinux@YAHOO.CO.KR, abuse@YAHOO.CO.KR, postmaster@YAHOO.CO.KR,
KIDC.NET
abuse@KIDC.NET, billing@KIDC.NET, dnsadm@KIDC.NET, domain@KIDC.NET, guard@kidc.net, helpdesk@KIDC.NET, hostmaster@KIDC.NET, hostmast@KIDC.NET, hjryu@kidc.net, ishan96@kidc.net, postmaster@KIDC.NET, root@KIDC.NET, security@kidc.net, support@KIDC.NET, abuse@BORA.NET, anti1473@bora.net, b4012391@users.bora.net, badmail@bora.net, billing@BORA.NET, dnsadm@BORA.NET, domain@BORA.NET, help@BORA.NET, ipadm@bora.net, ipadm@nic.bora.net, hostmast@BORA.NET, lyt082@bora.net, news@BORA.NET, postmaster@BORA.NET, root@BORA.NET, security@BORA.NET, sysop@BORA.NET, ysjeon7@bora.net, sexxkorea@hanmail.net, abuse@hanmail.net, postmaster@hanmail.net, hostmaster@hanmail.net, abuse@chollian.net, muscle73@chollian.net, zcedomain@chollian.net, znotice5@chollian.net, abuse@kr.iasiaworks.com, postmaster@kr.iasiaworks.com, webmaster@kr.iasiaworks.com, 1004@domain1004.com, I@i1004.com,
Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)
http://www.lawrenceperson.com/
Anyway, blocking outgoing port 25 is a stupid idea. Many of us work from home and have our own domains, and we legitimately want to have our outgoing mail show our own domains, not @attbi.com or @rr.com or whatever.
There are also some practical problems:
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Maybe this is a good thing. First, it provides a graphic rebuttal to the people who say "Why worry about spam, just hit the Delete key and it's not a problem anymore.". A slowdown like this is a big problem, and hitting the Delete key won't solve it because the servers are still bogged down delivering it so you can delete it.
Second, if the majors like AT&T start getting affected like this, maybe they'll start taking it seriously as a "this is going to cost us customers" problem. The spamhauses have hidden behing the fact that it doesn't cost their providers much to keep them around and they do pay their bills. If this kind of realization sinks in, the majors may start looking for the ultimate source of the spam (not just the relay they used, but the person/company actually responsible for the spam) and punting them from their networks completely to avoid ticking off the other major players. If I call UUnet and complain about a paying customer they're not likely to listen. If AT&T calls UUnet, they've a slightly bigger club to wave.
I got spam from the DNC. They use Cheetahmail.
Now, I'm a registered Libertarian, and have never given the DNC my email, or any indication that I want to hear from them...
Go figure.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
See? this is where I think the Gov. is failing. We got something that we all commonly HATE: SPAM.
:).
We have a common target on which we'd love to see some LEGISTLATION against it, for once.
And what is the Gov. doing? Passing laws left and right to protect big corporation, to reduce your rights as consumers, to be a complete pain in the ass and give themselves the right to sue the planet, but what is being done for the VOTERS, the USERS, the people paying the tax dollars?
Well this is one case of an EASY win of public opinion, heck, they could even pass a few bad things without people noticing it because we'd be so impressed that our elected people actually did something for the PEOPLE.
Ok this sounds like I am frustrated against the system but you get the idea... of course a global spam law and action will be taken one day... when all the big corporations will be really pissed. Or major ISP be fed up paying bandwidth for SPAM, Look now AT&T is starting the run, shouldn't take long now before we get something out of this.
I think blocking ASIA would be a good thing, a pain in the start, obviously, but for a good cause, when they'll see they can't conduct buisness properly, they'll move and close those open relays and hey, screw human rights on spammer, you can KILL the biggest of them and I don't see anyone here who'll be really upset, for once
Spam is doing 20% of the global traffic, the numbers are about right with what I see in my mailbox, as for my hotmail mailbox though, it's more like 95%.
--- Metamoderating abusive downgraders since my 300th post.
I've never seen a luggage cart accept less than a few bucks. They also keep 25 or 50 cents or so.
The point is that there needs to be economic value in doing this. Micropayments haven't taken off because it's not worth the effort to track down individuals for payments of a few cents.
To make this system work, you would need some way to identify and charge the original sender (ISP or self-hosting company or individual), and you would charge something like $0.25 per message. The ack might refund $0.20, to provide a small fee to cover operating the system.
Even if someone sent a 100 messages every day, that's only a few bucks in access fees. But the spammer who sends 100k messages in a single month would get hit hard.
Of course, there's also the problem of mailing lists, etc.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Hi!
This would be a problem for notebook users. If you're running a POP3 server in a corporate environment, one of the problems you have to contend with is traveling users (sales people, etc.) who want access to mail, and want to be able to send mail at the same time. One solution (for Windows NT users) is to implement the SMTP server that's built into NT. Have the road warrior send from his local SMTP server, but retrieve his mail from the corporate POP3 server.
One could, I suppose, simply add all those road-warrior notebooks to the list of authorized MTAs. But in a large-ish corporation it might be a record-keeping nightmare.
Okay... now that business interests are being demonstrably damaged (affected) maybe something can and will be done!!
Proof of damages clearly removes the age-old argument "just delete it! don't be such a whiner!"
The "Asian" spam people are concerned with doesn't always precisely "originate" from asia in the truest sense, however, it does come from mail relays being prone to being open.
On today's roads, a driver's license is required in most countries and certainly in the U.S. The purpose is at least partially to demonstrate proof that they have met minimum required skills and knowledge to operate a vehicle lawfully and safely. I hate to say "Hey, we need even MORE legislation" because I generally stand for smaller government. However, I believe that since the IIS flaws which still exist today (along with unpatched and currently still infected operating Windows boxes) combined with other people running servers with open relays among many other problems, I'm beginning to think that having an operator's license (not unlike a radio operator's license) should be required for internet usage.
Not only could this better raise awareness of security, but also netiquette and some basic technical understanding about the net and how things operate.
So, to just run a "client" computer, no license or something very minimal should be required. To run a personal or private server (email, web, ftp, whatever...small or limited use) something of a "Class C" license should be required. ISPs and hosting companies should require a professional license and such.
I don't propose that these cost any money or require any given renewal concerns. Costs should be extremely minimal to the point that it doesn't matter and only serves to fund the project. I just think that while we can't have "joe user" installing a Windows Server or some default *NIX to utilize the internet should be held accountable for his lack of knowledge, skills or ability as it DOES affect the rest of us in some way or another. Negligence in other areas of life are punishable offenses.
As things stand now, the internet is treated as a concern that is separate from daily life, however, I hold that for some, the internet is as essential to public access as our roads are! I don't think this notion is far fetched and I don't think it will "shut out" too many people.
In addition to that, suspending a license could be a more appropriate punishment for certain hacking activities as opposed to life in prison and never again accessing a computer device.
Anyway... I'm sure this idea in its basic form has a great deal of merit and will serve the public good. The devil is in the details and we should be very careful with its implementation. (example: licensing/certifying Operating Systems as 'internet safe' and such might be an issue of great concern and commercial interest.)
http://razor.sourceforge.net/
Deleted
The cause of the mail slowdown has been discussed in the worldnet.* internal groups.
fencepost
just a little off
I beg to differ with you on many points:
FIRST! Filtering at the receiving end is not the answer... at least not the whole answer and doesn't address all the other problems. The filter does not prevent the use of bandwidth!! It merely prevents the packets from being processed beyond initial reception and inspection. So the badthwidth is still being eaten.
SECOND! As another reader/writer has commented, in order to own an internet domain, a valid email address MUST be supplied. This is completely unavoidable. And simply being 'vulnerable' is not an excuse or justification for someone else to unfairly exploit your resources!!!
I also use ATTBI but I don't use the email service they provide. I guess it means I don't get the updates, bulletins and other information but asside from having essential connectivity, I get my services from elsewhere. I'm very happy with that arrangement.
One could, I suppose, simply add all those road-warrior notebooks to the list of authorized MTAs. But in a large-ish corporation it might be a record-keeping nightmare.
Just use authentication for them. Surely, it wouldn't be any harder than keeping user accounts on the intranet servers up to date. It could even use the same authentication database.
I hate spam with a passion, and go to great lengths to keep from even seeing it in my In Box.
I still keep an AOL account, and it was YEARS ago when it hit the point where it became more convenient to block all mail and have to add someone's address to my whitelist before they could send me anything, than to delete all the spam that hit that account without the whitelist.
I do much the same thing with my regular e-mail client. The last rule enacted on messages that aren't filtered out by the rules before it, basically puts everything into Deleted Mail, and it gets trashed automatically after 3 days. I peek in there once per day and almost never have to adjust any rules because non-spam accidentally was marked as spam.
~Philly
Got hit with this a couple days ago. Hmm, Why am I (postmaster) getting 400 bounce messages from one of our webservers? (we are an isp).
Starting digging through the logs and find an autotmated tool is using an old version of formmail that one of our users had installed. Seems like a spider found that is was a formmail cgi and tested it and found it to be vulnerable. so It sent e-mail to an aol box. 4 hours later what appears to be a Windoze program using the Microsoft URL Control is Sending tons of messages through this formmail cgi. By passing any rules we have setup in the mail server to dynamic blackholing of people that send too many messages or messages with too many invalid to's in the header, cause it came from a trusted host.
Besides that fact that I was pissed, I was intrigued. That was pretty slick, once you start closing down one way for them to spam they keep coming up with more.
On a side note we have found that if you simply strictly follow the RFC's you cut back a lot of mail you accept, and also Doing a reverse dns lookup, just to make sure their ip resolves to something helps a lot. By turing on Reverse Dns lookups and not accepting mail from ip's that don't resolve. We drop about 68K messages a day.
To E-mail me, replace the first period in my domain with an @
Do an RDNS lookup on the IP of the server and reject it if the domain in the 'from' doesn't match.
Which, of course, drops some valid mail, like mine, which has a from: okstate.edu and IP of x8b....dhcp.okstate.edu.
At least that's what my ISP does. I have to set up my sendmail to smarthost through my ISP's mail server, and it works fine.
The downside of it is that if you have a yahoo.com address, but want to run your own smtp server to deliver your mails, then you'd fall foul of such a system. I don't think that's a biggy though - if you could run your own smtp server, you'd probably not use a yahoo.com address you'd have your own domain :).
Actually, this is a pretty big downside for many users. Every once in a while, someone proposes a similar scheme that makes it hard or impossible to "forge" From addresses. This is not exactly that, but it's close enough. The problem is that this is a perfectly legitimate and necessary use of email, and is, in fact, discussed in RFC 822.
The basic problem is that many of us wear quite a few different hats, each of which has one or more email addresses. Suppose I want to send an email using my personal address while I'm at work, or my work address while I'm at home. Suppose I need to reply to some email sent to an official address using that official address as the header From, and that I also want bounces to go to that address so that others at that address can see if my reply was not sufficient (requiring a change in the envelope From). Maybe I do run my own smtp server and domain, but I want to use my spam-trapping yahoo address to reply to yahoo mail (for privacy reasons), and I want to use mutt instead of some stupid web interface. Maybe I'm a sysadmin who wants to set up a number of forwarding addresses (perhaps official addresses for some project on some domain). Now my one-way service has to be a two-way service; instead of just editing the aliases file, I have to set up an account for each of the people who needs to send mail. These are just some of the things that I happen to do on a daily basis and that adoption of your system might make impossible or more of a pain.
Sure, a lot of times this can be solved by some sort of remote access or SMTP auth, but it would certainly be less convenient (especially because some sites are difficult to access remotely). The bigger problems are social: many of the users I know who do these sorts of things aren't the most technically-savvy; many domains are unlikely to introduce the features necessary for full remote access (so then it becomes less of an inconvenience and more of a loss of service).
The good thing about your proposal is that it's opt-in for the sender's domain (whereas most others are opt-in for the recipient's domain), and it therefore gives a domain more control over its email addresses (as opposed to less with other schemes). It allows example.com to say "we want mail from addresses in our domain sent out via only our servers." Presently, anti-relaying provisions in servers make it possible to say "we want only mail from addresses in our domain sent out via our servers." This just completes things.
I guess it depends on your perspective. As a sysadmin, I'd be happy to have the power to turn this on for my domain (though I probably wouldn't, and other domains might not use it -- look at how terrible people are with MX records). As a user, I'd be unhappy if one of my sysadmins turned it on, but happy if some of the domains spammers use and I don't use turned it on. I guess it might be sort of a "not in my backyard" issue, which might limit its adoption. Another problem might be sysadmins that block domains which don't have these records, thus taking the power away from the sender's domain again.
While I'm rambling
While I'm ramblingly replying:
When an email comes in, you check if there's a verification server for the source domain of the email, and if so try connect to it, and then submit the email address for verification. [...] I know SMTP vrfy exists, but sites often turn it off
They turn it off because it can be abused by spammers looking for valid addresses or is in some other way a privacy concern. What you propose is functionally equivalent to VRFY (except that it can run on a different server), so I doubt it would be turned on either. However, it might not be a bad thing for servers to *try* to VRFY an address, and only block if VRFY returns "no such user" (not "permission denied"). If a separate protocol and server is desirable, there is always good old finger (though it's maybe a little too free-form), but VRFY makes more sense, as the primary mail servers should know to whom they can deliver mail.
Just use authentication for them. Surely, it wouldn't be any harder than keeping user accounts on the intranet servers up to date. It could even use the same authentication database.
What accounts? What authentication database? Presently, the existence of a mailing address does not imply the existence of a user account. Consider forwarding-only addresses. Should all the volunteers behind bugs@opensourceproject.example.org require accounts? Maybe the sysadmin is a volunteer, too.
What about those of us who use webmail addresses as spam traps? Now we have to use crappy web interfaces to send (or those webmail companies have to set up SMTP AUTH, with which they very well may not want to bother).
...and so on, and so on...
Quote:
"According to Brightmail spokesperson Francois Lavaste, an unidentified Internet marketer overwhelmed Brightmail's filtering system with messages, slowing down all e-mail delivery."
Why not name and shame them?
If they used their own servers then you know who they are, and if they didnt (although the sheer volume means it is very unlikely they could have used an open-relay unnoticed) then trace them back and make an example of them.
They are clearly a professional operation so bad press is going to make them look really bad in front of their existing clients, and if you tried hard enough you could have great fun suing them for all they were worth...
Maybe if AT&T disconnected some of the half-dozen active spammers on their network I keep complaining about, they'd get some sympathy.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Perhaps we need to educate the sysadmnins who keep relays open that the spammers are stealing their bandwidth and system resources, not just those of the people who get spammed.
Since spammers by their very nature do what they can to hide in anonymity (both to make it hard to filter repeat offenders and hard to track them down to "cancel" them), it makes me wonder if a push to fully authenticated e-mail might solve this.
I'd hate to label every piece of e-mail with a valid certificate (forcibly associating someone's words with their identity), though, but given the way things are moving, I can foresee this in the next 10-20 years.
Everybody will have a digital certificate, and every e-mail will be transparently and automatically signed with this certificate. People on the receiving end will know who's sending the message not by looking at the From: header but by examining the identity of the certificate, and users will be given the option to reject or accept messages that aren't signed (meaning the identity of the person can't be trusted). Since a high and growing percentage of this anonymous mail will be spam, eventually more and more people will start rejecting it, and spam will neatly kill itself off (at the same time killing off the ability for people to send e-mail anonymously).
It's a sad state of affairs, but it's going to be impossible in the near future to differentiate between e-mail sent from someone you don't know, and mass e-mail sent from a spammer.
To try something like a server-side permitted originator list? That way the downstream bandwidth from the SMTP destination to the client wouldn't be burnt up and the SMTP server could return errors to someone trying to send to a destination which had not authorized them.
... and it would redefine the term "mail-bombing"....
Yes, this would put some sort of list of who your friends are server-side. A bit of a privacy issue I'd guess (not that having all your e-mail readable might not put that to shame!).
It might also take a bit more work on behalf of the SMTP server, but I don't think this would be a crippling level of work.
Of course, the _other_ option is locating spammers and dropping 1000 lb. LGBs on their locations. That'd fix their wagons....
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
I admit it's a thought work in progress (and no, I've never managed a system running anywhere near 500.000 mails/day), but the idea was to make it cost something for the sender, not killing the ISPs server delivering it. Of course there's the problem that on the internet, everybody's a server.
Maybe the mail server should start acting like a proxy instead of a relay, how would that work? Instead of Sender -> Local mail server, Local mail server -> Remote mail server, it'd go directly Sender -> Local -> Remote. The cost would be lack of redundancy if the remote server doesn't respond, the local server won't take the responsibility of trying later. There's still a point of going through the local server though, of course to get verification that the email address really belongs to you. With a running connection the feedback link is established and the client can do the factoring, not the server. Likewise any webinterface (yahoo etc.) could offload it to the client through a java applet or similar.
Of course the message itself can be cached on the server as usual, so it won't matter what speed the connection is, as long as the factoring noumbers get transfered properly. Perhaps having the server do the factoring as a "back-up" solution in case of temporary connection failure would work. It'd work with a few remote sites being offline, on the other hand if the connection to the outside goes down and the mail server gets filled, there's trouble in paradise...
I haven't got any idea how much real mail servers do "behind the lines". How often can't it connect at all? How realistic is it really to replace the mail server with something that would be practicly an IM to the remote mail server) + caching proxy? Damned if I know, I just know my bandwidth is being stolen by people sending me advertisements I pay for. And I'm tired of it.
Kjella
Live today, because you never know what tomorrow brings
Okay, how about the reverse. Do a DNS lookup on the name of the originating mail domain. See if the looked up IP matches the sending mail server, or the recorded IP of a mailserver in an earlier Received By header, or the MX record of any such mahcine.
I'll see your senator, and I'll raise you two judges.
Is it just me, or does anyone else wonder about a company like AT&T having massive problems because of a few spammers? Isn't it a little more likely that somebody screwed up the mail routers and they blamed it on spam? I wouldn't expect them make a press release saying "we fucked up email, sorry.".
-- I saw it on the internet, it must be true.
The context was corperate users on the road with laptops. That implies some sort of user account on the intranet.
In other cases, there is a simple Free software. Look into the cyrus with SASL. It integrates with sendmail, and provides IMAP services. The SASL feature allows it to have a seperate user database so that a login need not be provided.
What about those of us who use webmail addresses as spam traps? Now we have to use crappy web interfaces to send (or those webmail companies have to set up SMTP AUTH, with which they very well may not want to bother).
They can either set up SMTP AUTH (no problem), or they can stay as they are (O.K. for you) and risk becoming a spam relay. Once abused sufficiently, they will either get AUTH, shut down, or be blocked so widely that it's useless for you anyway.
I know I could probably set something like this up on our network and nobody would say a word.
I am sorry, but for THREE YEARS I did not get but three pieces of spam in my ATTBI (up until recently @Home) Mailbox.
.)
How?
Well, my address WAS posted at a few places.
But they were all trusted locations.
Let me ask you some questions.
Have you ever used e-bay?
Any other online retailer?
How much do you trust this (these) online retailer(s)?
Have any of those retailers gone out of business since you gave them your e-mail address by any chance?
Does anybody else who DOES have your e-mail address have a habit of doing stupid ass shit? (such as, say, running outlook. . .
Does your browser know your real e-mail address? (IIRC, it is simple to grab a persons e-mail from their browser).
Have you used anon FTPs and actually submitted your REAL e-mail address to them? (doh!)
Do you read over ALL licencing terms that you agree to on sites that may even possibly have your e-mail address?
And their privacy policies?
And compared the two side by side to look for any loop holes that the company may be able to use?
Do you use separate e-mail addresses for different tasks? If so, how segregated do you keep these different addresses?
In other words, 'idiotic things' pretty much means ANYTHING that is not fully Tin Foil Hat Paranoia Compliant.
Need help treating your acne? Come here!
My point is that people should be able to post their address anywhere and not get spam. It's idiotic that you have to be "fully Tin Foil Hat Paranoia Compliant" and a cyber-hermit in order to avoid spam.
Putting a link to your e-mail address on your web page isn't "idiotic." It's done as a courtesy and convenience to both you and your readers. Making it easy for someone to e-mail you an answer when you ask for help in a public forum isn't stupid. It's polite and it makes it more likely that you'll get a response. Making your e-mail address visible and convenient when you are selling something is reasonable, not idiotic.
I simply disagree with your premise that anyone who chooses to use their e-mail the way that they want to is an "idiot." I think it's sad that spammers have been able to inconvenience you, me, and so many others on the net.
God help any spammer I ever meet in person...
This has existed for years. Just so you know.
Vintage computer games and RPG books available. Email me if you're interested.
The context was corperate users on the road with laptops.
But the broader context is about changing the way that email works for everyone. There are lots of suggestions that might work for a small subset of users, but fail to satisfy the breadth of needs fulfilled by our current email system.
The SASL feature allows it to have a seperate user database so that a login need not be provided.
Shell accounts are not the point (by "login" I assume you mean shell, since any provision of a username and password is "logging in"). Forwarding addresses now are just entries in the aliases map, without any sort of account at all. (And, before you say it, no server need be an open relay). Now you're asking the sysadmin to maintain a set of SMTP accounts with usernames and passwords, and probably to write a password-changing mechanism (the sysadmin running "saslpasswd" is not acceptable). One might also need a mechanism for locking accounts after a certain number of failed login and presenting the last successful and last failed login attempt to the user. The point is, authentication can be complicated, and "just give them all accounts" can be quite a hefty proposition.
They can either set up SMTP AUTH (no problem), or they can stay as they are (O.K. for you) and risk becoming a spam relay.
OR, as things stand now, without the valid servers published for each domain, users can use their ISP's mail servers. There's nothing that indicates that the webmail companies need to be open relays or that they are now. My point is that they are unlikely to bother setting up SMTP AUTH or to become an open relay, so users who want to send mail as their webmail addresses will be forced to use the web interface.
The other problem with all of this is that every mail client would need to be re-written to make the outgoing SMTP server dependent on the From address. Talk about a user support nightmare...
The real question is: would this stop spam? Much of the spam I get comes from open relays and have faked From addreses (and refers me to a web site or telephone number). What's to stop someone from using as the From? (Remember that if example.com is running an open relay, they can't be relied upon to do anything responsible or not to do anything irresponsible.) The rest of it comes with a "From" on some fly-by-night domain that can set its DNS records however it likes. Some of it sets both the "From" and recipient addresses to my address (and it seems that could be blocked in other ways without a significant change in behavior).
There is some portion that uses a "From" of yahoo.com or hotmail.com, but given all the pain through which this proposal would put non-spamming users and that the spammers would quickly adapt, I'm not sure that it's worth it to block this particular avenue of spamming.
Cleaning up the AT&T house would get rid of more than 20% of of the spam *I* receive.
Yes, mindspring has been doing this for a long time. At one point, they had the dialin users "trapped" -- port 25 always goes to their mail server no matter who you tried to connect to.
Yes, you can claim to be whomever you choose, but mindspring/eartlink will be able to tell who actually sent the message by simply looking at their logs. There they will find the IP of the origination point and thus YOU. If you connect directly to some server on korea that doesn't log anything or add any header listing where the message came from, then there's no way to tell who's responsible.
I think I see the confusion now! I was talking about measures to restrict people from originating mail with a fake from address. You're talking about recieving mail.
The case of a simple mail forwarder is no problem. The final recieving MTA would be able to see that the From address and the originating server match and that the relaying server is a designated mail server in it's domain. Meanwhile, the relay server will presumably have performed similar checks.
None of this will necessarily kill spam, a willing ISP can set up whatever they want in their DNS just as you said. It WILL prevent abuses of innocent ISPs (as originators of spam). With that accomplished, spam servers can be blackholed with confidence and certainty without ISPs having to block outgoing connections to outside SMTP servers.
You've got it backwards - there are mail packages such as Spam Bouncer that let you filter based on character set - if you never want to receive email in Korean, Chinese, or Russian, you can discard it all based on character-set headers. If you never want to receive email from Korea, you can even block that too. (That's a bit less reliable, because it's possible that there's someone in Korea you'd want to talk to, but you could probably set an autoresponder rule that tells Koreans that you're blocking email from there due to heavy spam levels, so they should use a non-Korean email system such as Hotmail/Yahoo/etc. to send you mail.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Mailing lists are the obvious place where hashcash fails, because as you say, a large real mailing list has the same scaling problems that a large spammer list has. The way to fix that is for hashcash mail systems to use whitelists - if you know the sender isn't a spammer, accept mail from them without hashcash. Of course, that just encourages spammers to join mailing lists and then spam them.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Spam laws won't work until they can be applied effectively everywhere in the world; not a chance. Meanwhile, some of the proposed laws have had significant anti-privacy terms - banning anonymous email, banning mail services that don't insist on getting your personal identification. Here in the US, we've got a First Amendment, and most of the anti-spam laws are much better at trying to weaken it than at actually blocking spam.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Use two e-mail addresses.
:)
One that has lots of filters put on it (filtering out "Penis enlargement" "MLM" and "100% legal" should cut your spam at least in half ^_^ ) and another one for private exchanges that you use personally.
Yes it is a pain, but then again until recently (and some would say still), similar procedures are needed to keep away from telemarketers too. Hell look how long it took to get some legal recourse in THAT arena!
Yes, agreed. Spammers _ARE_ right up there with the scum of the earth, but this is a capitalistic society that we live in, and as such if there is an idiotic plan that promises to make money fast, then we are going to have to deal with idiots trying to follow that plan.
Hell I am just grateful that I have only ever had one vacuum cleaner salesmen come to my door.
Need help treating your acne? Come here!
So what's the alternative? It's to make sure, as often as possible, to build applications programs that have security tools, and to make them as secure as possible by default. We need to try to anticipate problems that will affect lots of people beyond the intended users.
Economics will be hard to fix, because the whole Moore's Law effect driving our industry is that computation and communications keep becoming radically cheaper, and email has been really cheap for a long time. What we have to do is find ways to use those economics for spam prevention - as pattern recognition becomes easier, it's more usable for tracking down spammers, and you can make it *much* easier by techniques like seeding your websites with bogus email addresses you can use to trigger defensive responses, track down spammers, and get ISPs to block abusers. It's also important to use our communications abilities to coordinate spam detection and blocking - the RBL and its relatives are a beginning for this kind of process. Teergruben are another approach, especially if they can be coordinated. But it's also important to make sure that anti-spam tools aren't easily abused as Distributed Denial Of Service attacks (e.g. forging spam leading to mailbombing or long-term blockading of the forgee), which is amazingly easy (e.g. suppose you reply to a spammer's "remove me" address with a thousand emails of "From: bogusaddress1@bogus.net\nSubject: Unsubscribe\n\nbegin 666 vmunix\n...."
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
An entertaining way to use Teergruben would be to set your DNS server to respond to requests from RBL locations with random teergrube servers. Handout them an MX record for some machine they really don't want to talk to...
If you've got a number of people running teergruben, you can share bogus addresses on each others' domains, you can spread around the damage so that the spammers end up stuck on lots of teergruben at once.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks