Slashdot Mirror
ISP Chief on Spam
saddlark writes "internetweek.com has another article about spam and false positives. They've talked to Barry Shein, president of The World (the worlds first dialup ISP) - someone highly affected by spam. Quote: We're victims of crime, and nobody gives a damn. That's a nice feeling -- your business is being pounded into dust by criminals, and people say, `Live with it,' Shein said." ISPs have it pretty bad since their SMTP servers are often being hijaaked to send email that nobody wants. As annoying as spam is to us (113 messages so far today!), it's even worse on that side.
Though I've never really investigated it, there HAS to be some kind of alternative to SMTP. It's always struck me as a horribly insecure protocol and something that should have been replaced long ago.
I suppose the real problem now isn't finding a new protocol, but rather, getting wide-spread adoption of it, seeing as email has become a part of daily life.
...but I am going to anyway. There are a handful of very feasible ideas out there for stopping spam. Permission to send systems. Systems that require a token to be processed with each message sent (sending a message is trivial, sending millions of messages at once requires a server farm doing nothing but processing tokens). The list goes on (probably considerably longer than I realize). I hoenstly think it is simply a matter of time until the Open Source community begins implementing this and the rest of the industry follows. Now, lets get hopping.
ER
Lets face it, SMTP as well as POP3 and IMAP are old protocols. They came to be when networks were small and more trusted. The fact that 99% of ISP's use the email account as the service provider account is clearly insecure. Email travels around in clear text, passwords and all. This is how most crackers get into networks, by simply sniffing out the name and password of email accounts.
Email needs a massive overhaul like the one telnet has gotten. Telnet is obsolete, replaced by SSH. FTP is replaced by SFTP and SCP.
Email needs to be cleaned up, secured and as easy to use as it is today. Encrypting it helps, but you also need to design the protocol so that headers can't be faked. You need to design anti spam into it from the beginning. Anything we do to SMTP now is just a hack on a very old outdated protocol.
Oh and yes I know what I'm talking about, I've run several nationwide mail systems for two ISP's. It's a nightmare I wouldn't wish on an enemy.
We are a small company (2 people) who run some high profile (non-spam, non-porn) sites. Without the DNS BLs, spam traps etc, we would get over 1000 per day (close to 2000 on some days). One email that has not been used since 1995 still gets spam sent to it...it is a primary spam trap.
What is a solution? Various ones, but legal ones will not work for any length of time, it is like a hydra, cut off one head and more grow back.
What I would like to see (and what we proposed years ago, when micro-payments were in their infancy) was something that allowed you to specify users who you were willing to accept mail from. Everyone else had to pay you something (you could specify it), say, $0.01 or $0.10. Anyone willing to pay that could send you the mail, otherwise they are out of luck.
Personally I would love to get junk mail then - at 1000-2000 per day, that is a nice bit of money per year!
SMTP has a fundimental flaw that spammers have been able to exploit for years. It is far too easy to place false header information, making it impossible to identify the true source of spam. The best way to isolate spammers is to require that the sender must continue to store the message and only send a smaller crypto checksum of the message with an the information about where the full message is available at the sender-provided server. Yeah, spammers could still send out there trash this way... but this system does not allow them to lie about their IP address, because the IP address the sender specifies has to be where the full message lives. Once a server is being identified as spewing spam, the server would be quickly nuked by either ISPs pulling the plug or blacklisting. The remaining users would have a key that leads to a non-existant message, which client software can drop without ever needing to present the failure to the user. Effectively, spam is killed after its been sent, and the user never is bothered.
30-50? That's pretty good. Between work and home, I get around 175 spams a day. It's nice taking a vacation, and checking my email for the first time in a week. There's about 800 messages at home, plus another hundred at work.
And I have a hotmail account that's used for when I buy stuff from businesses I expect spam from. Places that don't use the double opt-in and sell my name to others. I often change my name to see the spam spread. But I don't really count that email as spam because that's what it's for.
My yahoo accounts don't get much spam, and that's what I use when I sign up for mailing lists.
I've never signed up for anything under my domain name, that's bots scanning sites. I use servercentral as my webhost, and I get around 50 spams a day that are addressed to servercentral-user@spam.com
And lately, I've been getting bounce backs from servers from spam that's sent under my domain name. It's having a domain name that gets me so much spam.
I've been using MailWasher (bounces email saying I don't exist), but that's going to change I think. After a vacation, MailWasher doesn't work because there's so much spam. And besides, who sends spam without faking the From address? It's effective about 95% of the time - about 5% false-positives.
Ah, that was good. I hit preview, and got a call from a telemarketer.
riding round the world on an old motorcycle
Hash cash seems more reasonable, but in order to really stop a spammer you want to delay him/her (it?) for probably on the order of a second per message, at least. Even if you find some algorithm to do that, it'll really annoy me to have to wait a second to send regular email also. So, I'm bitching about a second. But those can add up.
Now, maybe what you could do is charge for bounced email messages. The recipient decides whether he/she wants to open the message. If they open it, it is automatically free of charge. If they bounce it without opening it, the sender gets a small charge. The idea being, you get payed for the unwanted mail people send to you.
Every time an article about Spam comes up, someone always posts the same basic rant about micropayments and/or "hash cash", and it gets quickly moddded up to 5.
.1 cent an email, is a step backwards, and definitely not a long-term, practical solution. Sure, it might help get rid of a lot of Spam now, but it defiitely causes more problems than it solves.
Think about it people, this is not going to happen. I could list a thousand problems with the idea (How do you deal with international ISPs, how do you deal with ISPs that do not require it, where does the money go, and so on).
Some more basic questions that will prevent it: We here on Slashdot are hesitant about doing anything that might ruin our privacy. Think about the full implications of *whatever SMTP server you use having some credit card information about you*.
Think about the protests when AOL and MSN are taking in tens of thousands of dollars a week for email.
I cannnot believe that people that propose these ideas do not ever think through it fully. Email is so great because it is easy *and free*. Charging for email, even
The answer is to modify SMTP as we have it. Require authorization. Make it impossible to forge headers.
The big problem, of course, is international mail. I get mail from Korea, China, and Russia. Almost all of it is Spam. Whatever we do is going to have to get at that problem.
Think about the Slashdot article in four years, talking about how a lot of Chinese rebels are not able to send email to the United States because of micropayments and the problems they have with that.
- (c) 2018 Hank Zimmerman
-Spammers moving offshore (as if Asia wasn't already the #1 spam source)
-The amounts of the judgements increased (hitting a company where it hurt$ get$ their attention)
-The ease of getting a judgement against them increases. (which also magnifies the previous point)
Personally, I liked the simple idea of requiring all unsolicited business offers to have "Advertisement" as the first word in the subject line ... it would have made filtertering them trivial.
And, perhaps more important, falsifying headers gets slapped down under existing criminal wire laws. Either way, they're fairly easy laws to define and implement ... all it takes is getting the attention of politicos long enough to pass the laws, and then the law enforcement branches to enforce them.
Unsolicited faxes are the closest example - unwanted, and they cost the end-user - and every year some company gets slapped down hard (the most recent one I read of filed for bankruptcy due to the magnitude of the fine) - because laws were passed and enforced. That's all it would take to bring the spam problem down to manageable levels.
The only way to solve the problem is to make it cost something to send spam.
That's what I'm doing right now.
I run a tarpit on my mail server. Send me spam, and my mail server identifies it as such and imposes a cost on the sender -- in this case, the cost is that my mail server holds on to his connection and sends nothing but occasional keepalive messages in return. The spammer's relay (or the open relay he's hijacking) is deprived of an outgoing connection it could be using for sending spam to somebody else. Eventually the spammer will hit enough teergrubes that all of his outgoing connections will be tied up by them, and he'll come to a complete stop.
If the spammers begin catching on to this, and dropping their connections to me after they see me stall for N seconds, then I'll just set my mail server to automatically stall all incoming SMTP connections for N+10 seconds.
So the cost I'm imposing on spammers isn't money, but time and resources. A mom-and-pop ISP isn't going to be deterred by having its outgoing SMTP connections held for a minute before they're accepted. A spammer trying to send out two and a half million spam messages *will* be deterred by this.
A simple solution for ISPs is not to sell services to spammers in the first place.
The high volume spammers are almost all known at this time, and they have a history of terminations and other problems that you can check prior to opening their accounts. Just do some screening before you take a client. news.admin.net-abuse.sightings, ROKSO, ask the client questions ("Have you lost accounts before for TOS violations?" "If so, why?" Have a clause in your TOS that will allow you to terminate them immediately, if they lie.), etc.
The smaller fish who don't have a history, will not cause you that much trouble anyway, so you'll be fine.
Proletariat of the world, unite to kill spammers
In Soviet Russia, I ruled you
Just slowing them down will make the whole affair less attractive. Not eliminate it, but at least eliminate a good deal of it.
.
You think the second will annoy you. My guess is that, unless you are using mail as some sort of IM device, after the first few times you won't notice *10* seconds.
Delay a spammer's mail 10 seconds *per item* and you bring him to his knees.
Of course the spammers are going after IM now. .
KFG
You know, he does make a good point about spam being, essentially, a denial of service attack. It denies me use of a portion of my hard drive, of my server's CPU cycles for SETI@Home, etc.
Here's a question. If I put up a page like this on my website:
Welcome to the glowingplate.com automated security test.
This is a free service provided to Internet users so that they can test the invulnerability of their computer systems.
We accept no liability whatsoever for any damages caused.
In order to test your computer - and ONLY to test your computer, no human ever reads e-mail sent to this address - send an e-mail to $E-MAIL_ADDRESS. We will retrieve your e-mail address from the message headers and immediately begin the test.
And then pound 'em into the ground with a script that runs through every known vulnerability of Windows networking.
I figure that if enough of their address lists can be polluted with enough e-mail addresses which crash their systems, they'll eventually die out.
Does anyone keep any good legal counsel on retainer? Any lawyers out there care to discuss ways that such a thing can be done legally from Canada or the US?
The alternative might be to buy service from a hosting provider in some third-world country with no laws, and take care of it from there.
Fire and Meat. Yummy.
Require a cleared deposit or a credit check. If they don't have good credit, don't let them have an account. When they chargeback, sue 'em. Call the FBI, too, cause they are engaging in criminal wire fraud.
I wrote an article on spam filtering techniques at:
- sp amf.html
http://www-106.ibm.com/developerworks/library/l
Following that, I got into a discussion with a reader who ran an ISP, and wanted to implement some filtering techniques on his SMTP server. My reaction--and the more I think about it, the more convinced I am--is that actual filtering is heavier than is needed for this purpose.
I believe that a great deal of the problem with SMTP servers is NOT ENOUGH latency. If you were to add a few seconds extra latency to for every "RCTP TO:" field, there would be little effect for regular email usage. But such a couple seconds latency would make spamming impossible through that server. This latency can be a simple timer on the server, starting from a connection opened with a MAIL FROM: message.
There are a few details to handle here. To prevent multi-threaded spammers who open many sockets, you'd have to add a semaphore to each connection that limited connections from the same IP address. And as a general principle, you should not accept connections from every IP in the world (don't open relay). Moreover, demonstrated legitimate mailing lists could perhaps be granted special connections without the extra latency (but there should be a real procedure to prove you have a real mailing list in the ISP contract)
Buy Text Processing in Python
I put the finishing touches on my antispam program this week. I went from getting 150-200 spams a day to ZERO over night. It's very simple. If an email sent to me isn't from a known address, it puts the mail into a staging area and sends a confirmation request to the originator of the message. If they reply, their original email gets put in my mailbox. If they don't, their message is deleted from the staging area after a few days.
It's transparent to me. I never see anything in my mailbox except email from known people, and unknown people who actually exist and reply to the confirmation request. So far, none of the responders have been spammers, and if they had I'd then know how to find them! Works flawlessly, so for me spam is a thing of the past. Go ahead spammers, do your worst.
It's impossible to describe the feeling of liberation.
I've contacted a number of sites running open relays that were used to joe-job one of my domains. A few were legitimately careful but got caught by Exchanges's configuration files or had non-servers hijacked (e.g., one had a Cisco router hijacked!), but most didn't know or care that their mail server was an open relay.
Because of this and the infeasibility of the per-message solutions, I think it's time to start hitting open relays with statutory penalties. Something on the order of $100-200 first offense, $200-500 second, $500-1000 on third and subsequent offsenses, collectable through the victim's local small claims court. To minimize baseless complaints (and allow companies to ensure that they're not running an open relay) the courts could require confirmation that a site is running an open relay via an approved testing service, basically what a lot of the blacklist sites already do with test messages.
It should go without saying that any fines and court costs could be passed on to the upstream site that sent the spam. Maybe they were hacked - it really doesn't matter. Either you were authorized to send mail through that relay or you weren't. In the first case your contract specifies the damages (if any), in the latter case it's already a criminal trespass case.
Shutting down the open relays won't eliminate spammers, of course, but it should reduce the damage caused to innocent third parties and the true spammers will be universally blacklisted.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
This is not my sandwich.
But Barry's stance was that since the vast majority of cusomters just wanted all the spam gone, the right thing to do was to accept a certain level of false positives. Unannounced--no warning that you would have legitimate mail returned to your friends with the unhelpful '200 UCE not accepted' or even '200 No thank you' replies (I don't remember the actual number, sorry)--with no "opt-out-of-the-spam-blocking" option for other customers.
One theory I have for The World's problms is that spam-blocking doesn't scale with customers, so The World is hit by it worse than larger ISPs. It seems like the support costs of dealing with customer complaints would scale with customers, though. But, for example, there apparently is (was) a pattern of spammers taking a list of plausible user names and emailing every name on the list @ the target host. Since that list of names is the same length whether it's theworld.com or aol.com, but the number of customers is different, the cost-per-customer for dealing with that (bandwidth / etc.) is higher for the smaller ISP. But nobody at The World was willing to comment on this sort of customer scalability issue (although they mentioned that particular spam scenario because they had a fairly aggressive response to it to avoid bandwidth--they stopped accepting connections from that IP for an hour or two if it was detected, which meant legit mail from that IP was often delayed and sometimes bounced if it kept getting reblocked).
Anyway, the upshot is, I have very little sympathy for somebody who thinks it's a good idea to let legitimate email get blocked as spam because it reduces customer support costs. It's just moving the problems somewhere else where the customers don't know about them.
Barry Shein here, BS yerself (great initials tho), see RFC2235 for example. Netcom existed but wasn't offering customers INTERNET access other than hauling their e-mail back and forth to the internet. Big deal, even compuserve did that back then and any number of UUCP providers. Netcom started offering real internet access around April 1990 after they saw we weren't murdered for doing it. The World started offering the general public real dial-up access to the internet in November 1989, like ftp and telnet and all that (there was no web yet.) We got a lot of grief for doing it and even got blocked from big chunks of the net for a while. I remember it well, I should publish the flames I got for letting people onto the internet for mere money. Back then we were just world.std.com (std is for Software Tool & Die, the original company) but now usually go by http://www.theworld.com though the old address works just fine.