Slashdot Mirror
ISP Chief on Spam
saddlark writes "internetweek.com has another article about spam and false positives. They've talked to Barry Shein, president of The World (the worlds first dialup ISP) - someone highly affected by spam. Quote: We're victims of crime, and nobody gives a damn. That's a nice feeling -- your business is being pounded into dust by criminals, and people say, `Live with it,' Shein said." ISPs have it pretty bad since their SMTP servers are often being hijaaked to send email that nobody wants. As annoying as spam is to us (113 messages so far today!), it's even worse on that side.
Yes, that's right. You probably just have to live with it. The best that ISP's can hope to achieve is a reasonable amount a spam filtering, and locking down their own systems to prevent abuse. Beyond that, quit your whining....the internet is a hostile place, and spam is just one part of it that you have to learn how to fight.
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
This happens because the people who are in position to make laws and policies are directly affected. All the whining goes on in the technical community, but talk to your elected representative and ask them where spam figures in their priority.
Secondly, to get laws passed, you need a lobby. Hell, even *IAA managed to get asinine laws passed because they lobbied as a group: they were able to highlight (rightly/wrongly) how their financial interests were being compromised.
Unless a lobby is formed and pressure sustained, we can whine all day on /. We can send 100 spam's to Alan Ransky. We CAN'T end spamming.
It only takes one slip. And it doesn't even need to be you who posts your e-mail. Maybe a helpful customer recommends you to someone else in an online forum. Maybe a mailing list archive, or an e-mail excerpt gets posted to the web. Maybe your relative/friend/significant other is running MS Outlook, got hit by an e-mail worm, and started spewing worm infested e-mails with e-mail of everyone in their address book, including your e-mail.
Once a spammer gets a hold of it, they'll use it. They'll sell it. They'll extract the first portion (ie, the foo from foo@bar.com), and start pattern matching it against a library of domains in case you have multiple accounts (foo@aol.com, foo@yahho.com, foo@hotmail.com, foo@yourdomain.com, foo@foo.com, etc.). Hell, if your address is short enough, they don't even need to get your e-mail. They'll just generate it randomly, so they can claim it as on of their "13-million address CD", and woe to you if they actually score a hit.
Of course, the people who really get screwed are people who use e-mail for business, for example customer support, info, etc. So the next time you get really shitty e-mail service from your bank, ISP, etc., think about how much crap they had to wade through in order to get your message, and how much you have to pay in order to cover that overhead. The spammer isn't paying, that's for sure...
Spammers are about to destroy all this. Because they're posting to mailing lists that are there with the same philosophy, the effort it takes to keep those mailing lists up and running is huge. They are destroying the very fora we use to communicate, they are, as I see it, the greatest threat to the free flow of opinions we are seeing today.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
I know many people who know little to nothing about computers or the internet. They have not yet been jaded by the flashing banners and e-mail spam messages that promise free programs, trips, prizes etc. So they click away, and before you know it they are getting flooded with hordes of unsolicited e-mail. My aunt recently got a warning from her ISP for exceeding her allotted mail box space 17 times last month. I had to write them a nasty e-mail critisizing the lack of filters (even though it was my aunt's fault for posting to a bunch of newsgroups).
I guess the point is this: As long as people who don't know any better keep clicking on banner ads and checking out spam e-mail, the advertising companies are going to keep flooding people with messages. Their point of view is this: As long as we are getting some kind of return on our investment, we might as well continue to exploit this service. People just need to be educated on techniques designed to avoid supporting spammers, whether purposely or inadvertantly.
"This food is problematic."
SMTP won't just die, it needs to be replaced. If you can come up with a protocol that solves spam and works as well as SMTP, write an RFC and get some code out there.
People have said the same thing about HTTP, FTP, and pretty much every other standard protocol on the internet. So far, SMTP seems to have come under the most fire because of spam. I've been wondering when Microsoft will write their own closed mail protocol that effectively gets rid of spam, then proposes that everyone "migrate" from email to ms-mail or whatever the hell they wanna call it.
I think that we can all see that the ability to have an open, widespread protocol with spammers abusing people is a much lesser evil than microsoft controlling the entire email market. I propose that instead of getting rid of email, we add extensions to SMTP, just like they did for HTTP1.1 in order to better suit the needs of the growing net.
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
Those of you who see this and start yelling "lets outlaw SPAM it's bad!" might want to sit back and think for it. Sure, an anti-SPAM law would be great, however, it could open the floodgates to other laws relating to the internet that would not be so great. Once the law makers get into our realm, they're not gonna leave until they've changed the internet completely.
NUMBER ONE REASON SPAM CONTINUES - Little or no consequences for the SPAMMER. No way to make your AUP stick easily. Until you start taking the consequences for thievery out of the cyber world and start applying them in the real world, SPAM will continue.
If your an ISP (or related industry) your credit card vendor/bank automatically places you in a category called "high risk". This means that if a customer refutes a charge then you the money is taken AWAY from you and you are charged an additional charge called a charge back. Congratulations, you have a iron clad AUP, but if you don't have a signature (and most ISP's take signups over the phone) then your screwed should the SPAMMER SPAM. It's such a nice feeling to know your getting nailed twice by the spammer,
a. They use your system for something illegal, taking up resources in addition to the time it takes to hunt them down and turn them off.
b. They then charge their credit card back for the account and the AUP violation charge (SPAM Cleanup fee).
I have worked for ISP's for almost 10 years now (Yes THAT long). In that time I have watched and fought against the huge rise in SPAM. Currently I help administer mail servers for several domains that are high profile SPAM targets. So that you can get an idea of how bad spam is let me give you some statistics from the trenches.
1. One popular domains recieves about 120,000 messages/day for accounts that don't exist. There are actually only 35 mail accounts on that box. The target is very popular because of the domain name. That doesn't count the faked bounces which often constitute a few thousand messages/day
2. With one domain that services about 10,000 users, the implementation of a "mailgate" (BSD box with postfix and RBL and other anti-spam measures) reduced the amount of spam by 2/3s. Statistically that meant that 89% of all attempted connections to that box were refused.
3. The equipment used to deliver mail as little as 8 years ago can not be used now for reliable mail delivery. It would not survive the load. A SPARC 2 running sendmail could easily handle mail for thousands of users 8 years ago. With the advent of spam and the shere VOLUME of mail transactions such a solution today would be problematic at best. Moore new law may say something like "Every 3 years the amount of computing power required to run an e-mail server will triple"
The number one cause of complaints for ISP's is e-mail problems. If e-mail fails customers go nuts (as the rightly should). This means ISP's must invest serious money, time and effort into an e-mail solution. Stopping SPAM or preventing it from overwheling your e-mail servers is no easy task. It takes time, energy, intelligence and precious resources away from other things.
Spammers do such nice things as fake bounce messages, hijack school computers in the far east, use several dial up connectiosn concurrently and start running spam until the get shut down. The use faked return addresses from a legitimate domain, overloading those domain's mail servers as thousands of bounces go to it. The take over poorly maintainted machines with highbandwidth and open up hundreds of simultanteous connections to mailserver essentially preventing legitimate traffic from hitting those servers until the spam run is done.
BUT I HAVE A SOLUTION!! Using spammers logic here is my solution. I have automatically signed up every e-mail sender to a new contract. This contract says that if you send me an e-mail that I don't like I can break your kneecaps. If you don't like this arangement you can "opt-out". Just send your opt out message to dev-null@aol.com and I'll be sure to add you to the list of people that don't want their knee caps broken!
SPAMMING is nothing more than common thievery, it is a theft of services, it is theft of time, it is theft of resources and finally most spam runs should be considered a denial of service attack. In fact for small ISP's they often are. Until you bring consequences out of the cyber world into the real world there will never be a solution. Knee cap breaking is a fine real world consequence.
cluge
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
as long as you require people to go through an ISP's mail servers
Why the hell would you consider this an ideal solution? If I want to connect to a computer on port 25, I better damn well be able to, otherwise you are no longer really an ISP, you are more of a "web provider".
I've had enough abrasive sigs. Kittens are cute and fuzzy.
The ISP is being inundated by spam sent through outside networks to them, not by their users spamming.
That's the most common problem. I run my own domain and do battle with the spammers on a daily basis. I don't have trouble with spam going out of my network. I have problems with spammers trying to send it in. I am blasted by spammers typically operating out of Brazil, China, Korea, and Russia. Complaints to the ISPs seldom even result in even an autoresponse -- much less any action.
The answer is to modify SMTP as we have it. Require authorization. Make it impossible to forge headers.
Having written various SMTP software for a few years now I would like to comment on the "forged headers". forged email headers mean nothing. When a client connects to an SMTP server to send a message the clients IP adrress is recorded and this is added to the message. You can open any email in a text editor and see the originator of the message, his/her IP address that is. Anyone can add a header to the message, its up to the email reader to intepret it. That system works, and spammers are identified. BUT by the time we catch them they have moved to other locations, or they were using an open relay. Spammers can be caught, the 7 million doallar AOL settlement was evidence to that.
I do however agree with the Authorization argument. If more SMTP server in the world would simply require authentication/authorization from it's users and shut down open relays then it would eliminate a good portion of spam and add a little accountability for users of SMTP.
Why An Open Relay is a Problem.
It won't however stop joe spammer from getting a cable connection and setting up his qmail cluster so he can start his "~You Have Won-Some NIGERIAN Money / Tits(c)!!!!!????" campaign at an easy going 50k messages/hour. I believe that changes must be made but they have to be well thought out or we will be in the same boat 15-20 years from now. I believe that instant messaging, presence servers, and presence proxies will take over in the future, slowly replacing email and we need to build up such provisions in these protocols now.
This is a prime example of a half assed solution that causes more problems than it solves.
Teergrubbing is really easy to detect, the sender simply measures the rate at which a link is accepting data and if it is below a threshold shuts down the connection. So don't think this sort of attack hurts the spammers, it doesn't, they take countermeasures.
Instead the attack takes out legitimate senders whose emails are incorrectly identified by the teergrubbing algorithm. It is a classic example of a counter attack that creates more problems than it solves.
There are similar problems with the much touted blacklists, many of which have been involved in blacklisting for arbitrary reasons. The problem being that the people who end up running the lists (as opposed to starting them) often turn out to be pretty involved in their own control freakery.
There is no sure fire solution to spam, but there are plenty of systems that provide a useful degree of mitigation and in compbination provide a pretty solid solution.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
As I understand it, many spammers make their killing by sending a single email to hundreds or thousands of recipients. They just need to find a single SMTP server they can use as a relay and the bandwidth burden of redistributing all those copies falls in someone else's lap.
What about the simple solution of disallowing multiple recipients in a single SMTP message? If someone legitimately needs to send to multiple email addresses, require a seperate SMTP connection and seperate copy sent for each.
I'm confident the increased overhead from people sending legitimate email to multiple recipients will be greatly outweighed by the overall reduction in email traffic from spammers.
Those of us who run mailing lists and the like could simply configure our SMTP servers to allow multiple recipients and then our server would be required to make seperate connections for each recipient.
We should go after the people and companies that spam.
1) Set up an organization of volunteers (mostly techies from big ISPs) to serve on a technical group that evaluates spam reports and hunts down the companies and individuals behind the spam.
2) Publicize spammers identities extensively.
3) Encourage all businesses not to do ANY business with these people. Make it difficult for spammers to get a mortgage, telephone line, internet connection, new car, cable TV, lawn service, private school for their children, whatever.
4) Picket their places of business and their homes. Tell their neighbors what they do for a living.
Yeah, it's harsh. But it might work.
Yeah. Great. Most spammers are "smart" enough that they don't spam from their own domain -- they open multiple web hosting accounts elsewhere and blast out their mail from there via perl or php scripts activated by something as simple as wget or a perlbot.
Sure thing. Oops, said credit card was stolen. There's the money they owe you, plus a $25 handling fee for a chargeback.
Sure thing (actually, that's in our AUP as well). Oops, they're actually
- a foreigner, and
- they signed up with fictitious information and a stolen credit card to boot
Looks like the only thing we've got is an IP address in Indonesia, since they raped an open SOCKS proxy or someone else's web hosting server to sign up.Sure thing. It was an AOL/earthlink/someotherlargeISPthatcaterstoidiots user, and all the information matches. Most cards aren't reported stolen until several MONTHS after they've been used for this purpose, simply because of the "honey, did you charge this?" "I might have" effect.
That's always a given.
The typical scenario in this type of situation goes something like this:
Sure, you could attempt to track down each and every spammer, but even the credit card companies and merchant account providers don't care, because the chargebacks make them MORE money on top of everything.
The simple fact of the matter is that the REAL people who could do something about this scenario, the credit card companies, who could actually provide contact information (like a home phone number!) to merchants checking to verify the charges, as well has changing their chargeback policy, couldn't care less because this type of fraud only nets them more money from providers who can only tell if the card and its information are "good" or "bad".
What are you talking about? I have never seen a piece of spam that contained headers from which it was impossible to determine the spam's origin. Spammers do put in fake headers, but only to fool morons, the real headers are always right in there too. The real problem is that, for the most part, knowing the IP origin of the spammer accomplishes nothing.
maru
I think one of the problems might be that your script could attack a semi-innocent mail relay, rather than the spammer's computer.
So while I would cheer if you really hammered their boxes into dust, I wouldn't suggest that you could get away with it. Nor do I think you'd have any legal ground to stand on. You certainly couldn't claim that you didn't realize a spammer might step into your test script, because you just published your intent to all of us.
But if you do, well, kick 'em in the URLs once for me. :-)
John
I have a yahoo account with SMTP access (it costs a few bucks a year) and hardly every get any spam. About 95% of spams just pile up in my bulk mail folder at yahoo and I never even see them on my email client at home. I sometimes check to make sure none of it was actually real mail but so far it's all been spam. So yeah, what was getting to be a real pain in the ass is now no longer any problem at all. If yahoo can do that for me I'm more than happy to pay a little for the service.
Anway, agreed that a lot of spam might be originating out of US legilative power, but that is surely no reason not to get our house back in order. Aln Ralsky and Co. are still offering their "services". Atleast we can take lead and stop spammers in US and also set examples for others at the same time.
The World happens to be my ISP and I sympathize with Barry Shein and respect his views.
But I darn well DO care about false positives.
A few months ago "sent" me pictures from Shutterfly, an online photo-printing service that I rather like. Of course when you "send" pictures, what actually happens is that Shutterfly sends an automated email with a link in it; you click on the link, see the pictures in low-res and get to order prints. If you get the email, that is. The World was bouncing them, because something about them made it think they were spam.
A few weeks ago, I was trying to register online for a conference I want to attend. When you register, the site sends you an automated confirmation email. Again, The World was bouncing them.
I can deal with spam by deleting it. But how can I deal with email that's been improperly bounced? Unless the person who sends it happens to mention it to you, you never find out.
When I contacted The World, their response was that they couldn't do anything UNLESS I COULD SEND THEM THE BOUNCED MESSAGE, INCLUDING HEADERS.
Sounds like an Irish bull, doesn't it? "If you fail to get this, please send it to me so I can find out why it didn't get there..."
"How to Do Nothing," kids activities, back in print!