Slashdot Mirror
Internet Vigilante Justice, SPAM, and Copyrights
pdw writes "An interesting article about how vigilante justice on the Internet by anti-spam advocates can be just as threatening to the Internet as those proposed for copyright advocates."
← Back to Stories (view on slashdot.org)
This article demonstrates the problem we are up against getting people to secure their networks.
His mail server is an open relay, and he still doesn't realize it. Worse, he's a lawyer. These are the people that will be setting policy.
I wonder if it is even worth e-mailing to explain the situation to him.
Not only is he a lawyer, but hes a lawyer with an open relay, and he doesn't believe that spammers will 'lie' to get that server to propagate their mail!
Well, setting your sender's address to a trivially guessed domain name (such as the reverse-mapped address of the host), you effectivly have an open relay. Guess what spammers are doing: they are using known-good addresses, and try sending spam from those addresses MX hosts in the hope that the MTA do this foolish kind of access check.
This has been discussed since at least five years, and has been a point in the many faqs and howtos on how to lock down your MTA for a long, long time.
If you really need to send mail through your MTA from arbitrary IP addresses, you need to employ authentication. Again, this is hardly a new technology, and many documents explaining how to combine SSL and authentication for SMTP exist.
How had it gained access to my mail server? Simple. It had forged the headers on its email to convince my mail server that the email it sent was from a permitted user.
One word: Authentification.
You see, my mail servers were set up to pass mail only from a domain name of which I am the only user. It blocks everything else. That's not an open relay. Unless you're a user in my domain, you can't use it.
Uh, it may not be a totally open relay in the literal sense of the word, but surely that still means it can be used to send spam, as long as the spammer figures out who to identify himself as - and if the Danes could do it, then it can't be that hard?
Any spam-block that relies entirely on the "from:" header is broken by design. What, spammers disguise their identities? Never!
He does seem remarkably clue resistant though. He *IS* running an open relay and admits it.
So what if you have to forge the FROM. It's not like spammers don't do that anyway.
This is the kind of thing you see every day in news:news.admin.net.abuse.email.
"Waah, I'm being blocked by your nasty list! I demand you stop blovking me or I'll drop piano's on all your heads! and I'm a lawyer!"
"A. no-one's blocking you, they're justing *choosing* not to accept email from known open relays (or whatever the perp feels accused of)."
"You're abusing my First Amendment Rights to 'Frea Speach'"
"Our list is based in the Gobi Desert. *Our* first amendment guarantees the right to tea with yak butter."
Also, searching for his email address to see if he had ranted on usenet, I found this: Archived Article
an Excerpt (from the above article by "R. A. Hettinga" ):
New Architect is a Microsoft/DotNet magazine. This article is
agitprop for Microsoft's identity solutions: UDDI, Passport, and Palladium.
Any reputation framework that arises in the wild would reduce the
profitability of a Microsoft solution, so they are going to badmouth it,
sue it, etc.
dave
Anyhow, IMHO this is an other blabla piece from someone who doesn't realy has an understanding of what he's doing.. Typical american sollution.. let's sue..
Nobody expects the spanish inquisition!
No, this guy *IS* an idiot. Based on what he says in his diatribe, he has his server configured to allow relay based on the sender email address. As he doesnt seem to realize he has discovered, this is NOT a secure way of configuring a server, and a server configured that way *IS AN OPEN RELAY*. Relay controls must be based on IP address, not sender email address. Other secure options include SMTP Auth and POP-before-SMTP.
His saying his server is not an open relay doesnt make it so. If some random person on the Internet can make his server send a message to some other random person on the Internet, then his server is insecure. Yes, spammers *DO* forge sender addresses in order to abuse these servers.
Spam, and the security and policies necesarry to try and get control of it, are by nature a very technical field. More and more people who are just upset that they cant mail, and thing the blacklists are responsible, and who arent willing to take the time to understand whats really going on, and starting to get off on their soapboxes like this. THEY ARE WRONG.
If you subscribe to New Architect, this guy wrote a followup article to this one after receiving a boat load of mail pointing out the he was in fact running an open relay. He admitted to being behind the times, etc, said he was sorry. He still doesn't take back the fact he's mad at the vigilantes out there. Sorry, there's no link yet, I think NA has a lag between the print and web editions.
:-)
Point being, if they can forge a header to get on your computer, a spammer can very easily do the same thing. An interesting thing on my campus is the technology department regularly scans and tries to hack into FTP sites running on campus, and sends an e-mail to the admins if they're successful. Some students got mad, but the moral of the story is, better to have someone trustworthy find your weakness rather than someone who's going to exploit it. This seems to be a new effective form of security that's emerging, since we can't depend everyone to stay up to date with the latest security issues, such as the Mr. Faussett in the article. I think vigilante is the wrong term, these blacklist ops are doing everyone a favor by helping to clean up insecure sites, which in the end saves everyone money. I propose we call them "Freelance Security Advisors" or something like that.
Then that's when you want SMTP AUTH or POP-before-SMTP, a pretty typical configuration on modern mail servers. Or use your dialup ISP's mail server as a smarthost--that's what it's for.
Should we recommend this guy to Bernie Shifman just in case he's still looking to sue people?
The truth is that these home-grown spam mitigation methods do have their problems.
One of them is evident in the article: well-meaning users often do not understand what might be insecure about their server configurations, or what might need to be done to fix them. I am very comfortable with sendmail configuration, and I can tell you that setting up the authorizations correctly for mobile users to be able to send email safely is a narrow, twisty labyrinth in comparison to the big, flashing exit door marked "promiscuous relay".Another problem in the home-grown nature of these solutions is the tendency for them to be personality-driven, instead of professional. Often, IP addresses (or even whole ISPs) are placed on blacklists because the blacklist maintainer does not mind creating a little collateral damage if they think it might create a little extra pressure on a spammer or an ISP.
Some blacklists have blocked out entire hosting companies, including some of the biggest ones on the net, simply because they did not think they acted with sufficient alacrity against spammers in their midsts. This kind of wild overkill is unfortunately too common, and perhaps it's a good argument in favor of for-profit blacklisting, which would probably exert some good influence on the question of list quality.
Earthlink rejects mail from any IP address that belongs to a dial-up pool that attempts to connect to their SMTP servers.
Ostensibly, this is done to reduce "direct-to-mx" spam, which is a very common spammer tactic. Unfortunately, it also makes life harder on the home linux enthusiast, or home business operator who might be running their own perfectly legitimate sendmail server. All part of the collateral damage in the spam wars: Internet access and Internet business are slowly becoming more expensive and possibly moving out of the reach of people with limited means.
So what should we do?
First, I think that current law against junk faxes should be extended to include junk emails. This would not eliminate spam, but it would give us the ability to correct the spammers who operate out in the open.
As a Libertarian, I want to jealously guard the right of the people to freedom of expression. But that right does not and cannot include the right to expropriate other people's time or money. You have a right to make your voice heard. You do not have a right to force me to pay for it.
Second, I think that we should be careful about the blacklists that we use, and prefer those operated by recognizable and accountable companies wherever possible.
Finally, I think that for the forseeable future, filtering at the user desktop will be necessary.
(Cards-on-the-table time: I am working on a new solution for end users to eliminate spam from their inboxes. It is based on a new method, and it will work for any user who uses a POP email account. It will be ready for public beta soon. Please write to me if you want to learn more.)
The struggle against spam is definitely picking up, and I think that a new equilibrium is approaching.
Some students got mad, but the moral of the story is, better to have someone trustworthy find your weakness rather than someone who's going to exploit it.
Sometime in the next week or so, I am going to stop by your home and probe for any security problems that a burglar might exploit.
You sir, are of subhuman intelligence.
There is a distinct difference between a University testing the security of systems directly connected to its own network and jackasses like yourself equating it to random strangers "testing" a systems security.
To clarify in terms of the flawed analogy you provide, no one should have trouble with their landlord testing their home's security, as the landlord is the one who is responsible, and who fixes it when it is broken. That is not the same as inviting any random stranger off the street to do likewise.
The Future of Human Evolution: Autonomy
However, the reason to not do this is that it's insecure. A large percentage of the spam I receive claims to be from the domain that it's being sent to, so his system would happily relay it.
The second reason should trump the first reason, but obviously if you're a clue resistant lawyer with a chip on your shoulder, it doesn't.
For those who appreciate irony, consider this --
He's basically written this big diatribe, which to spammers says `hey! you can relay through my mail server!' ... so a spammer finds it, and forges their spam to allow it to go through it, and uses it to spam the world. Then somebody gets flooded with these spams, and sues our friend Bret. They can even use his article as evidence that his mail server was open and he knew it, but that he refuses to secure it.