Slashdot Mirror
ISP Chief on Spam
saddlark writes "internetweek.com has another article about spam and false positives. They've talked to Barry Shein, president of The World (the worlds first dialup ISP) - someone highly affected by spam. Quote: We're victims of crime, and nobody gives a damn. That's a nice feeling -- your business is being pounded into dust by criminals, and people say, `Live with it,' Shein said." ISPs have it pretty bad since their SMTP servers are often being hijaaked to send email that nobody wants. As annoying as spam is to us (113 messages so far today!), it's even worse on that side.
They can implement strong AUPs that will do the following:
Fight Spammers!
It only takes one slip. And it doesn't even need to be you who posts your e-mail. Maybe a helpful customer recommends you to someone else in an online forum. Maybe a mailing list archive, or an e-mail excerpt gets posted to the web. Maybe your relative/friend/significant other is running MS Outlook, got hit by an e-mail worm, and started spewing worm infested e-mails with e-mail of everyone in their address book, including your e-mail.
Once a spammer gets a hold of it, they'll use it. They'll sell it. They'll extract the first portion (ie, the foo from foo@bar.com), and start pattern matching it against a library of domains in case you have multiple accounts (foo@aol.com, foo@yahho.com, foo@hotmail.com, foo@yourdomain.com, foo@foo.com, etc.). Hell, if your address is short enough, they don't even need to get your e-mail. They'll just generate it randomly, so they can claim it as on of their "13-million address CD", and woe to you if they actually score a hit.
Of course, the people who really get screwed are people who use e-mail for business, for example customer support, info, etc. So the next time you get really shitty e-mail service from your bank, ISP, etc., think about how much crap they had to wade through in order to get your message, and how much you have to pay in order to cover that overhead. The spammer isn't paying, that's for sure...
Spammers are about to destroy all this. Because they're posting to mailing lists that are there with the same philosophy, the effort it takes to keep those mailing lists up and running is huge. They are destroying the very fora we use to communicate, they are, as I see it, the greatest threat to the free flow of opinions we are seeing today.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
SMTP won't just die, it needs to be replaced. If you can come up with a protocol that solves spam and works as well as SMTP, write an RFC and get some code out there.
People have said the same thing about HTTP, FTP, and pretty much every other standard protocol on the internet. So far, SMTP seems to have come under the most fire because of spam. I've been wondering when Microsoft will write their own closed mail protocol that effectively gets rid of spam, then proposes that everyone "migrate" from email to ms-mail or whatever the hell they wanna call it.
I think that we can all see that the ability to have an open, widespread protocol with spammers abusing people is a much lesser evil than microsoft controlling the entire email market. I propose that instead of getting rid of email, we add extensions to SMTP, just like they did for HTTP1.1 in order to better suit the needs of the growing net.
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
NUMBER ONE REASON SPAM CONTINUES - Little or no consequences for the SPAMMER. No way to make your AUP stick easily. Until you start taking the consequences for thievery out of the cyber world and start applying them in the real world, SPAM will continue.
If your an ISP (or related industry) your credit card vendor/bank automatically places you in a category called "high risk". This means that if a customer refutes a charge then you the money is taken AWAY from you and you are charged an additional charge called a charge back. Congratulations, you have a iron clad AUP, but if you don't have a signature (and most ISP's take signups over the phone) then your screwed should the SPAMMER SPAM. It's such a nice feeling to know your getting nailed twice by the spammer,
a. They use your system for something illegal, taking up resources in addition to the time it takes to hunt them down and turn them off.
b. They then charge their credit card back for the account and the AUP violation charge (SPAM Cleanup fee).
I have worked for ISP's for almost 10 years now (Yes THAT long). In that time I have watched and fought against the huge rise in SPAM. Currently I help administer mail servers for several domains that are high profile SPAM targets. So that you can get an idea of how bad spam is let me give you some statistics from the trenches.
1. One popular domains recieves about 120,000 messages/day for accounts that don't exist. There are actually only 35 mail accounts on that box. The target is very popular because of the domain name. That doesn't count the faked bounces which often constitute a few thousand messages/day
2. With one domain that services about 10,000 users, the implementation of a "mailgate" (BSD box with postfix and RBL and other anti-spam measures) reduced the amount of spam by 2/3s. Statistically that meant that 89% of all attempted connections to that box were refused.
3. The equipment used to deliver mail as little as 8 years ago can not be used now for reliable mail delivery. It would not survive the load. A SPARC 2 running sendmail could easily handle mail for thousands of users 8 years ago. With the advent of spam and the shere VOLUME of mail transactions such a solution today would be problematic at best. Moore new law may say something like "Every 3 years the amount of computing power required to run an e-mail server will triple"
The number one cause of complaints for ISP's is e-mail problems. If e-mail fails customers go nuts (as the rightly should). This means ISP's must invest serious money, time and effort into an e-mail solution. Stopping SPAM or preventing it from overwheling your e-mail servers is no easy task. It takes time, energy, intelligence and precious resources away from other things.
Spammers do such nice things as fake bounce messages, hijack school computers in the far east, use several dial up connectiosn concurrently and start running spam until the get shut down. The use faked return addresses from a legitimate domain, overloading those domain's mail servers as thousands of bounces go to it. The take over poorly maintainted machines with highbandwidth and open up hundreds of simultanteous connections to mailserver essentially preventing legitimate traffic from hitting those servers until the spam run is done.
BUT I HAVE A SOLUTION!! Using spammers logic here is my solution. I have automatically signed up every e-mail sender to a new contract. This contract says that if you send me an e-mail that I don't like I can break your kneecaps. If you don't like this arangement you can "opt-out". Just send your opt out message to dev-null@aol.com and I'll be sure to add you to the list of people that don't want their knee caps broken!
SPAMMING is nothing more than common thievery, it is a theft of services, it is theft of time, it is theft of resources and finally most spam runs should be considered a denial of service attack. In fact for small ISP's they often are. Until you bring consequences out of the cyber world into the real world there will never be a solution. Knee cap breaking is a fine real world consequence.
cluge
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
the internet is a hostile place, and spam is just one part of it that you have to learn how to fight.
My god! I now get it! And your advice is so appliciable elsewhere in life!
Those people complaining about crime in urban areas? They should just shut up.
People starving to death in Africa because warlords, corrupt governments, and civil war make it impossible to grow food? They should just tighten their belts or eat dirt or something. Or maybe fight back by hiring troops to protect their subsistence farms.
And those people in small, unimportant countries that get invaded? Well, that's their mistake. They should have picked a bigger country to live in. Or domed it over or something.
Yep! The world is a hostile place, and people should learn how to deal with it instead of whining about things like laws and governments and human rights.
Every time an article about Spam comes up, someone always posts the same basic rant about micropayments and/or "hash cash", and it gets quickly moddded up to 5.
.1 cent an email, is a step backwards, and definitely not a long-term, practical solution. Sure, it might help get rid of a lot of Spam now, but it defiitely causes more problems than it solves.
Think about it people, this is not going to happen. I could list a thousand problems with the idea (How do you deal with international ISPs, how do you deal with ISPs that do not require it, where does the money go, and so on).
Some more basic questions that will prevent it: We here on Slashdot are hesitant about doing anything that might ruin our privacy. Think about the full implications of *whatever SMTP server you use having some credit card information about you*.
Think about the protests when AOL and MSN are taking in tens of thousands of dollars a week for email.
I cannnot believe that people that propose these ideas do not ever think through it fully. Email is so great because it is easy *and free*. Charging for email, even
The answer is to modify SMTP as we have it. Require authorization. Make it impossible to forge headers.
The big problem, of course, is international mail. I get mail from Korea, China, and Russia. Almost all of it is Spam. Whatever we do is going to have to get at that problem.
Think about the Slashdot article in four years, talking about how a lot of Chinese rebels are not able to send email to the United States because of micropayments and the problems they have with that.
- (c) 2018 Hank Zimmerman
The only way to solve the problem is to make it cost something to send spam.
That's what I'm doing right now.
I run a tarpit on my mail server. Send me spam, and my mail server identifies it as such and imposes a cost on the sender -- in this case, the cost is that my mail server holds on to his connection and sends nothing but occasional keepalive messages in return. The spammer's relay (or the open relay he's hijacking) is deprived of an outgoing connection it could be using for sending spam to somebody else. Eventually the spammer will hit enough teergrubes that all of his outgoing connections will be tied up by them, and he'll come to a complete stop.
If the spammers begin catching on to this, and dropping their connections to me after they see me stall for N seconds, then I'll just set my mail server to automatically stall all incoming SMTP connections for N+10 seconds.
So the cost I'm imposing on spammers isn't money, but time and resources. A mom-and-pop ISP isn't going to be deterred by having its outgoing SMTP connections held for a minute before they're accepted. A spammer trying to send out two and a half million spam messages *will* be deterred by this.
The answer is to modify SMTP as we have it. Require authorization. Make it impossible to forge headers.
Having written various SMTP software for a few years now I would like to comment on the "forged headers". forged email headers mean nothing. When a client connects to an SMTP server to send a message the clients IP adrress is recorded and this is added to the message. You can open any email in a text editor and see the originator of the message, his/her IP address that is. Anyone can add a header to the message, its up to the email reader to intepret it. That system works, and spammers are identified. BUT by the time we catch them they have moved to other locations, or they were using an open relay. Spammers can be caught, the 7 million doallar AOL settlement was evidence to that.
I do however agree with the Authorization argument. If more SMTP server in the world would simply require authentication/authorization from it's users and shut down open relays then it would eliminate a good portion of spam and add a little accountability for users of SMTP.
Why An Open Relay is a Problem.
It won't however stop joe spammer from getting a cable connection and setting up his qmail cluster so he can start his "~You Have Won-Some NIGERIAN Money / Tits(c)!!!!!????" campaign at an easy going 50k messages/hour. I believe that changes must be made but they have to be well thought out or we will be in the same boat 15-20 years from now. I believe that instant messaging, presence servers, and presence proxies will take over in the future, slowly replacing email and we need to build up such provisions in these protocols now.
I wrote an article on spam filtering techniques at:
- sp amf.html
http://www-106.ibm.com/developerworks/library/l
Following that, I got into a discussion with a reader who ran an ISP, and wanted to implement some filtering techniques on his SMTP server. My reaction--and the more I think about it, the more convinced I am--is that actual filtering is heavier than is needed for this purpose.
I believe that a great deal of the problem with SMTP servers is NOT ENOUGH latency. If you were to add a few seconds extra latency to for every "RCTP TO:" field, there would be little effect for regular email usage. But such a couple seconds latency would make spamming impossible through that server. This latency can be a simple timer on the server, starting from a connection opened with a MAIL FROM: message.
There are a few details to handle here. To prevent multi-threaded spammers who open many sockets, you'd have to add a semaphore to each connection that limited connections from the same IP address. And as a general principle, you should not accept connections from every IP in the world (don't open relay). Moreover, demonstrated legitimate mailing lists could perhaps be granted special connections without the extra latency (but there should be a real procedure to prove you have a real mailing list in the ISP contract)
Buy Text Processing in Python