ISP Chief on Spam

saddlark writes "internetweek.com has another article about spam and false positives. They've talked to Barry Shein, president of The World (the worlds first dialup ISP) - someone highly affected by spam. Quote: We're victims of crime, and nobody gives a damn. That's a nice feeling -- your business is being pounded into dust by criminals, and people say, `Live with it,' Shein said." ISPs have it pretty bad since their SMTP servers are often being hijaaked to send email that nobody wants. As annoying as spam is to us (113 messages so far today!), it's even worse on that side.

Replacement needed for SMTP

[jamie]

I think we're living in the last days of SMTP as our email delivery protocol. It worked great for the first ten years but now the commons is being exploited. This is a simple truth of economics. It costs nothing to send an email -- it's too cheap to measure -- and high-volume advertising is a natural consequence.

I don't think Barry is right about the situation being about to implode. "Imminent death of the net predicted" has a poor track record for accuracy. But I wouldn't be surprised to see things get much worse over the next, let's say, three years.

What we need is to have a replacement ready. Waiting in the wings to take over. As "SMTP email" becomes more and more spammy, and people get more and more frustrated with both spam and the inconveniences caused by fighting spam, the number of people willing to adopt a replacement will grow.

My contention is that the only way to solve the problem is to make it cost something to send spam. The root of the problem is the unbelievable cheapness of delivery. Every attempt to solve the problem has been an attempt to make delivering spam more expensive (typically by getting spammers kicked off ISPs, cancelling their contracts and costing them money circuitously).

We simply need to make email delivery cost something. A tenth of a penny an email would be more than enough.

Maybe it can be done with "hash cash," requiring the email sender to spend CPU cycles to solve a math problem. Personally I don't think that's going anywhere; CPUs are way too cheap right now. But that's an ingenious approach to the problem and a good example of the kind of thinking that will be needed.

I lean toward inventing an entire micropayment system to solve this problem. The advantage is that, piggybacked on the solution to spam, you get micropayments -- which, when applied to the web, usher in a whole new era of content production.

But whatever happens, something needs to be waiting in the wings for when SMTP finally hits the wall.

Re:Replacement needed for SMTP

The SMTP extensions have already been written. The problem now is on the social side.

What's needed is a coalition of major ISPs to declare that they will only deliver mail from servers with a valid certificate. That combined with certificate blacklists would decimate 99% of the spam out there and effectively cut off all of those open spam relays off from the net.

The reason this would work is that getting a certificate is much more difficult than getting a mail server and an IP address, and it's much more easy to track. IP blocking was tried, and it failed.

Of course, this touches on the greater issue that the idealized Internet was built on anonymity, but now it's time to get pragmatic or watch the whole thing collapse.

Stop crying and take action!

[www.sorehands.com]

ISPs are able to take action against spam!

They can implement strong AUPs that will do the following:

• If a spammer is hosting on your system, you don't shut down the server/domain/site, but redirect it to a page saying it has been shut down for spamming while locking them out from changes or accessing the data.
• Implement a stiff fine/cleanup fee.
• Provide people who complain the real information on the spammer.
• Confirm credit card information to make sure that the credit cards are not stolen.
• Secure your servers.

Re:Stop crying and take action!

[pete-classic]

ISPs don't generally run on a huge margin.

What do you think the staffing requirements of ruthlessly enforcing the AUP would be? What kind of attorney's fees do you think bullets one and three would cause an ISP to incur?

I think your suggestions make sense, but fail to take the economics into account.

-Peter

Live with it?

[Nordberg]

Most users might be able to live with it, but what they don't see is the 50%-90%+ of spam that is filtered out before it even hits their inbox.

I know I still get about a spam a day, after my personal filters ditch about 80% of what comes in. And that's after my ISP filters out what is likely an equal amount.

That means about 25 spams a day are sent my way. Multiply by the tens of thousands of e-mail accounts on a mid-sized ISP, and it starts to cost these businesses real money.

get a filter!

[RyLaN]

I went and got POPfile and now, two weeks after I saw the link to it in a article, my spam filtering has a 99.7 sucess rate. It filters everything by adding a X-Text-Classification header and then my mailer does the rest.. Easy easy easy..just give it a bigger corpus and block those type of emails on the smtp server.

Re:email as we know it is the problem

[Todd+Knarr]

Actually SMTP does a good job with e-mail. Mostly ISPs need to use what's already provided in SMTP and in mail servers. For example, use one mailserver for outgoing mail and require SMTP AUTH to use it. The seperate incoming server has to not require authorization, but it should only accept incoming mail and reject anything that wouldn't be delivered to one of your customers. Doing that and implementing standard anti-relaying rules and keeping current on security patches would eliminate much of the problem.

As for unforgeable headers, as long as you require people to go through an ISP's mail servers and don't have an authoritative list of all mail servers in the world, you have to allow the client system to provide headers that your server accepts. If you allow that then anyone can forge headers, and if you don't then how do you handle the headers on a message being relayed through the sender's ISP's mail server? You don't know what the sender's username is unless you trust the sending server, and if you trust the sending server then I can set my software up to impersonate a trustable server and get forged headers through. Encrypted and authenticated connections won't help, not without aforementioned authoritative list of legal mail servers which we don't have. And how do you handle legal forgery, eg. my using a "silverglass.org" e-mail address on messages originating from a non-silverglass.org system (my mail isn't handled by the same entity that handles my Internet connection and I plan on keeping it that way)?

SSH, scp and SFTP replaced Telnet, rcp and FTP because people could state what they wanted that the older protocols couldn't do and how those things could be done. Before you can replace SMTP you need to outline exactly what you want the new protocol to do and how it can do it, and resolve any conflicts between what it allows and what people need to do.

Spam filtering

[Huogo]

I was searching around earlier, and to solve my own spam problem I downloaded POPFile. It is a cross platform email proxy (runs locally). You still use whatever email client you want, with just a few minor changes to your configuration (pop server is now 127.0.0.1 and username is now mail.server:username). It employs a bayesian filtering method. It is very easy to use and has been working GREAT for me so far. It can add a classification to the subject (IE an email labed hello, would become [spam] hello) or it can add a X-Text-Classification header which your mail client can search for, so you can decide exactly what you want to do with different kinds of email. I havn't found a better solution yet.

Filtering still costs... and other thoughts.

[blowdart]

have it pretty bad since their SMTP servers are often being hijaaked to send email that nobody wants.

If an ISP is running an open relay, then they deserve to get highjacked. There's no excuse for that these days.

However, filtering at the SMTP level, whilst useful, still isn't a complete solution. Why not? Well

• Even if you drop the connection after the HELO/EHLO, your bandwidth is still being used. A lot of spamware doesn't even cope with dropped connections, or user not found messages, and will still sit there, attempting to send, using your bandwidth.
• No filtering is perfect. Either it doesn't catch enough, or it deletes too much. Simply tagging mail, and not deleting means your disk space is still being used to store the spam until your users decide what to do with it.
• DNS based RBLs are wonderful. I use them (stats are at oberon.idunno.org/spam/, but how much do you trust the black list providers? Then, of course, you have people suing the black list providers, who then bow out because it's easier than mounting a defence.
• "Free speech". Yes, we know free speech doesn't apply to spam, or to those of us outside the US, but the idiotic mindset of a spammer doesn't seem to realise that my private property negates their right to talk to me. And thus more legal threats begin.

So, what to do? Small ISPs will have problems. Spammers sign up with credit cards, do a spam run, and flee. So, you have the credit card number, FINE THEM. Put that in your contract.

What can be done about the big boys hosting spammers, Verio, Exodus et al? Block them at the routers.

Re:Alternatives?

[CommanderTaco]

There is: ESMTP. Provides a framework for extending SMTP, including allowing for username/password authentication. Wrap it with SSL/TLS and you're good to go. Most of the popular MTA's (sendmail, postfix, qmail) either have built-in support or patches available, and many popular MUA's (outlook/oe, mozilla, evolution) support it as well.

Spam, deal with it or stop it?

[MrEnigma]

I think the problem right now is that everyone is focusing on just sorting it out after they receive it. So that the end user doesn't have to worry about this. Most people probably use some sort of this protection, I currently use Popfile, check it out at http://popfile.sourceforge.net. Open Source written in perl, naive bayesian spam filtering, works great. However we do need to somehow make it for we don't even have to sort this crap. An authenticated SMTP server, or something of the likes, a new standard could fix things, or at least help a ton.