ISP Chief on Spam

saddlark writes "internetweek.com has another article about spam and false positives. They've talked to Barry Shein, president of The World (the worlds first dialup ISP) - someone highly affected by spam. Quote: We're victims of crime, and nobody gives a damn. That's a nice feeling -- your business is being pounded into dust by criminals, and people say, `Live with it,' Shein said." ISPs have it pretty bad since their SMTP servers are often being hijaaked to send email that nobody wants. As annoying as spam is to us (113 messages so far today!), it's even worse on that side.

email as we know it is the problem

[geek]

Lets face it, SMTP as well as POP3 and IMAP are old protocols. They came to be when networks were small and more trusted. The fact that 99% of ISP's use the email account as the service provider account is clearly insecure. Email travels around in clear text, passwords and all. This is how most crackers get into networks, by simply sniffing out the name and password of email accounts.

Email needs a massive overhaul like the one telnet has gotten. Telnet is obsolete, replaced by SSH. FTP is replaced by SFTP and SCP.

Email needs to be cleaned up, secured and as easy to use as it is today. Encrypting it helps, but you also need to design the protocol so that headers can't be faked. You need to design anti spam into it from the beginning. Anything we do to SMTP now is just a hack on a very old outdated protocol.

Oh and yes I know what I'm talking about, I've run several nationwide mail systems for two ISP's. It's a nightmare I wouldn't wish on an enemy.

Re:Replacement needed for SMTP

[singularity]

Every time an article about Spam comes up, someone always posts the same basic rant about micropayments and/or "hash cash", and it gets quickly moddded up to 5.

Think about it people, this is not going to happen. I could list a thousand problems with the idea (How do you deal with international ISPs, how do you deal with ISPs that do not require it, where does the money go, and so on).

Some more basic questions that will prevent it: We here on Slashdot are hesitant about doing anything that might ruin our privacy. Think about the full implications of *whatever SMTP server you use having some credit card information about you*.

Think about the protests when AOL and MSN are taking in tens of thousands of dollars a week for email.

I cannnot believe that people that propose these ideas do not ever think through it fully. Email is so great because it is easy *and free*. Charging for email, even .1 cent an email, is a step backwards, and definitely not a long-term, practical solution. Sure, it might help get rid of a lot of Spam now, but it defiitely causes more problems than it solves.

The answer is to modify SMTP as we have it. Require authorization. Make it impossible to forge headers.

The big problem, of course, is international mail. I get mail from Korea, China, and Russia. Almost all of it is Spam. Whatever we do is going to have to get at that problem.

Think about the Slashdot article in four years, talking about how a lot of Chinese rebels are not able to send email to the United States because of micropayments and the problems they have with that.

Teergrubes are the answer

[Brian+Kendig]

The only way to solve the problem is to make it cost something to send spam.

That's what I'm doing right now.

I run a tarpit on my mail server. Send me spam, and my mail server identifies it as such and imposes a cost on the sender -- in this case, the cost is that my mail server holds on to his connection and sends nothing but occasional keepalive messages in return. The spammer's relay (or the open relay he's hijacking) is deprived of an outgoing connection it could be using for sending spam to somebody else. Eventually the spammer will hit enough teergrubes that all of his outgoing connections will be tied up by them, and he'll come to a complete stop.

If the spammers begin catching on to this, and dropping their connections to me after they see me stall for N seconds, then I'll just set my mail server to automatically stall all incoming SMTP connections for N+10 seconds.

So the cost I'm imposing on spammers isn't money, but time and resources. A mom-and-pop ISP isn't going to be deterred by having its outgoing SMTP connections held for a minute before they're accepted. A spammer trying to send out two and a half million spam messages *will* be deterred by this.

Latency is good!

[Lulu+of+the+Lotus-Ea]

I wrote an article on spam filtering techniques at:

http://www-106.ibm.com/developerworks/library/l- sp amf.html

Following that, I got into a discussion with a reader who ran an ISP, and wanted to implement some filtering techniques on his SMTP server. My reaction--and the more I think about it, the more convinced I am--is that actual filtering is heavier than is needed for this purpose.

I believe that a great deal of the problem with SMTP servers is NOT ENOUGH latency. If you were to add a few seconds extra latency to for every "RCTP TO:" field, there would be little effect for regular email usage. But such a couple seconds latency would make spamming impossible through that server. This latency can be a simple timer on the server, starting from a connection opened with a MAIL FROM: message.

There are a few details to handle here. To prevent multi-threaded spammers who open many sockets, you'd have to add a semaphore to each connection that limited connections from the same IP address. And as a general principle, you should not accept connections from every IP in the world (don't open relay). Moreover, demonstrated legitimate mailing lists could perhaps be granted special connections without the extra latency (but there should be a real procedure to prove you have a real mailing list in the ISP contract)