Slashdot Mirror
MIT Spam Conference Conclusions
RT Alec writes "The 2003 Spam Conference has concluded, reports InfoWorld. (related read: abstracts of the conference discussions). I was unable to attend the conference, but it appears all that was discussed was filters (client and server). I think the key problem is ISPs that do not block egress traffic on port 25. If you need to send mail through a different SMTP server than provided by your ISP, the admin of that server ought to provide you with a means of using it with authentication on a port other than 25 (you do have permission to use that SMTP server, don't you?). It is not too tough to set up an SMTP server to require authentication, or at a minimum to run off a different port. I am suprised that this is never mentioned as a cure for spam. If just AOL blocked port 25, this could reduce spam by 50% (I base this figure on close examination of the headers of the spam I receive). I was pleased to see that Barry Shein, president of The World (a Boston based ISP) was included in the talks. I am not sure by the abstract (see link above) posted if he mentioned blocking port 25. In a recent interview he did not mention it."
Does anyone have an idea how much spam comes through open relays vs. spam friendly ISPs?
How many spammers use real addresses?
The problem is that they use an AOL connection to get online, then spoof through a korean SMTP sever.
I like the idea. But, also do it for most of the dial-up services. Cable and DSL does provide a way back to the spammer's home.
Fight Spammers!
Blocking port 25 is not the answer. It creates more problems than it solves. I am a senior sysadmin at a mid size hosting center, and we run mail services for a lot of our customers. The single biggest problem with mail is dealing with ISP's that block port 25.
Saying "oh, just run it on a different port" is not as simple as it sounds to us geeks. Sure, we offer SMTP on another port to get around those ISP's, but your typical nontechnical user doesn't even understand the problem, much less know how to apply the workaround. And during the time they can't send mail, they're blaming you. They're blaming your "broken" mail service, because the mailbox their ISP provided them with is working just fine.
So you set up the nonstandard port and tell them "point it here." Now you're wasting untold amounts of tech support time on the phone with the nontechnical users -- you have to figure out what operating system and e-mail client they're using, and hopefully it's a setup that someone in your tech support organization is familiar with. Then you have to walk them through the process of setting up SMTP on a nonstandard port, and setting up authentication if necessary. During that time, you've spent enough tech support time to make that account unprofitable this month, and the spammers have found some other way to deliver their mail anyway.
Blocking egress on port 25 is not a good solution.
Tired of FB/Google censorship? Visit UNCENSORED!
No, the key problem is ISPs that don't disconnect spammers and charge them for violating the AUP, as well as ISPs that don't even have anti-spam AUP's. Open relays are next on the list. True, blocking outgoing port 25 traffic on the routers might eliminate a lot of spam (not a significant amount: in my experience the majority of spams I get are from various Asian countries, though configuring Postfix to reject connection attempts from a dozen or so subnets in China has cut down drastically), but then again, dropping every packet would solve the problem even more effectively, because:
As soon as an ISP blocks port 25, any spammers using that ISP will run their spammachines off of different ports. If an ISP requires SMTP AUTH connections to their mailservers, how long before spammers start relaying through their own ISP servers? Ultimately, blocking port 25 will have no measurable effect on spamming, because if the ISP provides a means around it for sending legitimate mail, it will be abused to send spam. All your proposed remedy will do is make life difficult for those who run legitimate mailservers.
This will stop most luser spam, because most lusers don't have fixed IP internet connections. Whether it's an idiot running an open poxy or a moron who responsed to an ad in the Weekly Saver for "MAKE $75/HR WITH YOUR COMPUTER!", at least this will get rid of the harder to trace stuff.
The real problem is ISPs that just don't fscking care. The ISPs who would go out of their way to block port 25 for fixed IP customers were probably not the ones with much of an outbound spam problem in the first place.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
This conclusion is simply and fundamentally WRONG.
It is critical for the future of the Internet that ISPs provide unmolested IP service. When ISPs are permitted to filter anything, for any reason, you start down a slippery slope. As soon as ISPs start trying to prophylactically control what goes on through filtering, they will find new things they need to control, for "security" or "liability" reasons. This will screw the end users by changing the 'net from its current state to a choice of which ISP's walled garden you want to be trapped in -- which ISP's filtering and censoring you want to pay for the privilege of being subjected to. It also screws the ISPs -- technologically it's expensive, it creates new problems for their customer service to deal with, draws the ire of some of their customers and civil liberties types, and the more they try to filter/control/censor, the more ISPs will be legally required to (the principle behind common carrier -- if I provide a neutral and blind service, I can be exempted from being required to control many things, but if I provide a controlled service where I can know what's going on, then I'm required to use my control and knowledge to prevent certain things or I can be held as aiding those things being done)
And it won't stop the bad guys. The worst thing about the spammers is that they're just smart enough that whenever any effective anti-spam measure comes around, they just find a way around it. Yes, AOL filtering outbound port 25 today will stop a lot of spam TODAY. And guess what? The spammers will just do something else. Open -- or cracked -- proxies are the up and coming new spammer tools. Please explain to me how cutting off outbound port 25 solves that problem. Please explain to me why spammers will just go away and stop spamming because you're blocking port 25 as opposed to finding some other way to spam.
This is a solution where the users lose because they lose functionality and are likely to lose more with it as precedent. It's a solution where the ISPs lose because they incur new costs and liabilities while only temporarily slowing down spam. It's a solution where the spammers lose least of all, they've been shut out of ISPs before and they've been blocked in various ways before and they already know how to do their deeds differently if they need to.
This is a really bad idea.
I am disturbed that a bunch of supposedly clueful folks came up with this.
I'm utterly confused as to why the other excellent response to this post has been marked "troll" twice.
First of all, CRM114 is just a language. Bayesian filters could just as easily be written in Perl or C. The language makes no discrimination whatsoever.
Secondly, the very point of Bayesian filtering is that it learns what you consider trash and what you consider treasure. You start with a training set of several hundred "legit" messages and several hundred spams, and it goes from there.
The reason it works so well on a person-by-person configuration is that certain phrases (eg, email addresses of people you know in the "From" header) correlate very strongly to good mail, while phrases like "click here" and "enlarge your" are almost certainly spam indicators. Everything between is personal; if you're on a BDSM list, your filter will learn that you like that stuff. Given a training set with your personal tastes, rates well in excess of 95% are possible.
Incidentally, this is why Bayesian methods aren't that great for site-wide filtering (that, and they would be tremendously slow); it's much harder to establish what a *group* of people considers to be "not spam."
I run my own mail server, for a laptop which is connected to the Internet via a number of different ISPs at different times. Using a local mailserver means that I don't need to reconfigure mail clients to point at each ISP's mail server.
However, I currently do need to reconfigure the mail server because some lame ISP does block port 25, so I have to use their mailserver (which, naturally, I can't access if I'm not using their connectivity).
Port 25 filtering is an idea I've only come across recently, and appears to affect a lot of legitimate use without bothering spammers who use lax ISPs anyway.
The people who make money sending spam will pay to get to ISPs who will allow them to do so, but legitimate private users are greatly inconvenienced by ill-informed choices such as interfering at the level of packet filtering in what is a high-level protocol problem.
Big deal if AOL blocks port 25. Then the spammer just uses an open proxy on port 1080, 8080 or others. I get scanned on those ports every week or two.
One line blog. I hear that they're called Twitters now.
I use e-mail autoforwarding to track spam. Every time I give my email address, I specify who I'm giving it to, ex. blah.com goes to blahcom@mydomain (anything@mydomain goes to the same hotmail box), so when I receive a spam, I can see which site sent it or sold the information, and block any e-mail coming from that site and everyone they sold it with To: line filters. Since most of the sites I wish to receive e-mail from are sites that don't spam me, this method has been successful in eliminating the vast majority of spam that I receive, down to only about 1 piece per day.
[i]The problem, of course, is getting large ISPs like Yahoo Inc., America Online Inc. and Microsoft Corp. to adopt the filters. As it stands now, each ISP is taking its own approach.
[/i]
Their own approach is to sell your email address to spammers. This is not difficult to realize.
- I think the key problem is ISPs that do not block egress traffic on port 25
And think a big part of the problem are the nuts who think filtering port 25 network wide is a viable option. Here are some real world numbers...Router #1:
30 second input rate 21782000 bits/sec, 6210 packets/sec
30 second output rate 12294000 bits/sec, 4651 packets/sec
Router #2:
30 second input rate 7543000 bits/sec, 2133 packets/sec
30 second output rate 12182000 bits/sec, 3183 packets/sec
(and that's business traffic at 0030ET Sunday -- it goes a lot higher during business hours.)
Routers have a lot of work to do already without having to look for spam. Devices along the lines of a Packeteer could be used to perform in-line packet inspection, but that'll get old real fast.
Yes, it's perfectly doable to filter dialup users either at the ppp line or the next hop router by either explicit blocks or redirection. Many ISPs already do this. (UUNet requires it, oddly enough.) But an equal many don't. Plus, there's a growing amount of broadband in the world.
Most companies buying network connectivity and hosting their own email systems expect them to have direct control over those systems and the routing of their email in both directions. It's a simple task to set a mail server to use a "smart host", but then one is at the mercy of those controlling that server(s).
Oh, and just how exactly will this stop them from sending spam? Exactly. Simply put, it won't. It just changes the origin of the spam and maybe speed up the response time for blocking it and dealing with the user. HOWEVER, it introduces a much larger annoyance: blacklisting of the ISP server(s) and thus hundreds or thousands of companies and/or users.
Next I suppose the ISP should be looking at the email to judge it's spamliness? Well, I'm gonna have to play my lawyer card on that bit of stupidity. The instant an ISP begins any type of content filtering, most of the protective provision of various laws cease to apply. In the eyes of the law, this would be exactly the same as the post office opening all of your mail to determine and discard what they feel is "junk mail".
In the end, spam is what it is because of the [censored] creatans who think they can make money by participating in any of a growing number of scams. Basically, technology cannot protect the internet from stupid people. (esp. when the standard was constructed in a "stupid people" void. I guess we've bred better idiots.)
The first problem is that the Reply-To field is optional as defined by RFC 2822. Secondly I would see this as an absolute nightmare for list admins. I run a mailing list for <insert open source project here>. Joe Blow signs up for it. For Joe to receive mailing list mail, someone has to respond to a message sent to the Reply-To address (which is usually the list's posting address) with whatever is needed to verify the address. Now the mail sent to Joe is auto-acking the list. Problem. Another problem. Joe wants to sign up for a mailing list no one on the server has ever signed up for before. He signs up. The MTA tries to verify that the sending address exists by auto-acking it. The sending address could very well be directed to /dev/null because a human response isn't supposed to be sent to that address. To confirm the opt-in Joe was supposed to load a URL from the initial message. Whoops. Joe can't join the list. There are ain infinite number of possible problems if a verification protocol is wrapped around email.
The ISP does not block port 25 for traffic coming into their customer's systems, they block it for traffic coming out of them.
Their customers must relay their outgoing email through the ISP's mailservers.
Messages relayed by the ISP's mailservers can include header info that ensures that the originating customer can be determined. Then, if a complaint is sent to the ISP, they can decide which customer to deal with.
This only has to be done for customers that use dynamic IP addresses - when fixed IP addresses are used, that is adequate to identify which customer sent the message.
Of course, this will only be done by those ISPs that believe in being a good netizens.
Make it not profitable(or illegal). That's the simple solution
The illegality here would scare the pants off of all the spammers in Asia, I'm sure...
I pledge allegiance to the flag...
of the Corporate States of America...
Port 25 egress blocking is a good start to the spam problem for two reasons: First, it prevents a spammer from signing up and just doing direct-to-MX spam from that throwaway account. Not many spammers do this anymore, because its easily tracead and bigger ISPs kick those accounts fastest. Second, it limits a spammer's ability to abuse open proxies and relays on a network. Say clueless users are running a WinGate open proxy or an open sendmail relay on an older default Linux/BSD install on their cable or DSL line. A spammer could try to relay spam through it, but the egress block would stop it.
I see alot of complaints here about how such a block prevents you from running a mail server on your broadband line. People, this is residential service you are getting here. If you need to run your own mail server you need to find out about that when you sign up for service. A typical residential user never needs to connect to any SMTP relay except the ones the ISP provides. These users are also more likely to cluelessly leave their computers open to abuse. If you're responsible enough to run a mail server, and you really NEED one, get a real account.
Another option is to relay your mail over a non-standard port through a third-party email provider, if you really loathe your ISPs relays. This is my situation, and I use Lux Scientiae. They run a SMTP AUTH relay on a secondary non-standard port. It's locked down to prevent abuse, and SMTP AUTH lets them track down any of their users that abuse it. They don't accept incoming mail on that non-standard port, only relay for users, so it's not like they're re-defining SMTP to use a different port.
Of course, there will always be those ISPs that really don't care about preventing abuse. This is why blocklists even exist, to allow users to shut out the bad neighborhoods on the net. It would be nice if all those residential broadband users' computers couldn't be hijacked by spammers. As it stands, they are, so one way or another port 25 traffic is blocked.
Beer wants to be free
It IS a terrible idea; if you want to offer a public data service, then that's what you offer. You don't get to make exceptions just because you feel like it, unless you are declaring, in essence, that you are providing the service of selectively restricting traffic. And in that case, you become liable for every judgement you make about who to service and who not.
A bar/pub/saloon can restrict you all sorts of ways just because they feel like it. But this doesn't give anyone the right to stop you from getting drunk, trying to pick up strangers, or making a fool of yourself in public. A public communications service is different, and for a very good reason. bars and saloons are primarily there to provide a space for private associations; a communications infrastructure is there to provide a public infrastructure. and the internet points this out very well; it's public, accept the fact or build your own fucking internet.
It comes down to this; you are advancing the idea that the primary argument is "it's mine, i can do whatever i want with it". but in the interest of creating a just society (one where few people have an interest in destroying it), we recognize many "level playing field" exceptions to this. separate water fountains, "whites only" policies, etc. tell me who and what you are and i'll tell you how you depend on this fundamental fairness. i'll also point out that the internet isn't yours and if you can't play by its fundamental rules of openness then you have no business connecting to it.
Expanding a vast wasteland since 1996.
I agree. My stay with @Home was a period of frustration. Their mail service was so bad that I didn't dare rely on it. Their excuse, "email is for noncommerical, hobbiest purposes only". Fuck you @Home. I switched to DSL and set up my own mail server along with SpamAssassin and a few blackholes to minimize spam. When something goes wrong, I can fix it myself (and blame myself, too).
I don't run an open server (I test this whenever I make any significant changes to my configuration) and certainly don't allow spam. I'm so anal that I have a filter that bounces subjects which contain "fwd: fwd:". That caught my mom and sisters a few times.
Since I have a dynamic ip address, I use a service to deal with that (along with a 15 minute cron job to make sure my domain and ip address are synced). Unfortunately, some of the more "religious" antispammers block the entire dynamic dsl range, so there are a few places that refuse mail from me (very rare, fortunately).
Preventing private email servers is just plain stupid. Just because some people are abusing this doesn't mean everyone must be punished. That's the equivlent of saying, "some people print child porn, therefore we must outlaw all private publications."
-- Will program for bandwidth
Short answer: Because you teach your filter what is spam. And everybody else teachers their personal filter.
So if your personal mail often has "penis" in it, the filter learns that it is not a good indicator for spam.
I use POPFile http://popfile.sourceforge.net/, and I have noticed that one of the best indicators seems to be certain server names.
I work for a small company that offers web hosting. Along with the web hosting, we give the customer mail accounts, with SMTP, POP and IMAP access. We have had numerous complaints from customers that were unable to connect to the SMTP server because thier ISP blocks port 25. Why shouldn't they be able to connect to any server they like? This is certainly legitimate traffic but it is being blocked because some jackasses send spam and other jackasses run open relays. Why should my users be blocked because of the actions of other users?
All I want from an ISP is an unfiltered network connection. Once the ISP starts filtering the service it is unlikely to stop. What is the next service to go? Surely people don't need to connect to IMAP or POP servers that are not on the ISP's network. Block 110 and 143. Better block 6346 while we're at it, as it cuts into the pocketbooks of our partners. Don't forget 22, it allows people to work on VIRUSES without the ISP being able to detect it! Pretty soon the network connections ISPs provide will be nearly nonexistent. Port 80 will be open to sites on the whitelist, and you can get a connection on 443 to sites that have registered with the ISP (and paid their tax to Verisign) but all other ports will be blocked. After all, why would anyone need to connect to any service that is not web-based? As everyone knows, 'the internet' == 'www' and connections to other services are not needed.
If I pay for internet access, I don't think it is unreasonable to expect access to all available services. Instead of harrassing the ISPs into degrading my service, how about harassing the mail server vendors to produce products that connot be configured as open relays?
Enigma
This will stop most luser spam, because most lusers don't have fixed IP internet connections.
Oh, that's nice of you to pass value judgements based on people's IP addresses.
I am not a "luser" (I have probably forgotten more about computing than you know), but I have a dynamic IP address simply because I don't feel like giving ATTBI another $50/month to get a static one. I also have a reason to send mails out on port 25 - I don't use my ATTBI e-mail address, I use my business one. Thus, I send my e-mail through my company's SMTP servers. I certainly have permission to do this, and a legitimate reason, so why should I be punished? I also run an SMTP server (authenticated). Sure people try and send spam though it (every day my syslog is full of Relaying Denied messages), but they fail. When they fail, their address gets blackholed (by me), and passed on to all my friends to be blackholed too).
Now, if what you meant to say was "port 25 blocking should be instituted for people on dialup addresses", I might be slightly more inclined to agree with that. There's a lot less accountability with dialup (read: modem) addresses (due to free trial accounts) than there is with cable or DSL. AT&T Worldnet, for example, drops any outgoing packets on the floor destined for port 25 on a machine other than mailhost.att.net Most of the relay attempts I see in my logs are from dialup pools.
So what is the solution? Certainly any time you institute a widespread "solution" (blackholing, port blocking, etc), innocent folks are always going to be punshed. There's lots of chatter about creating a new protocol, but guess what? If it ain't supported by Outlook, you're SOL. Whether you like it or not, no ISP is going to switch from SMTP to a protocol that will alienate a large portion of their clients. And, guess what, MS isn't going to switch from SMTP. Why? Well, at the spam conference, they said they had found the perfect algorithm to filter spam. Of course, they declined to tell us what it was...
There is no sig, there is only Zuul.
What is it with these story submitters and the inane comments they attach to the story? I seriously doubt "RT Alec" would have been a VIP guest at the conference if he feels port 25 blocking is the solution to spam.
I think the key problem is ISPs that do not block egress traffic on port 25.
No.. the ISPs that block port 25 already care about spam, they just block it to reduce their administrative load. It reduces the spam cases they have to deal with - but they still cut off spammers. If they didn't block 25, they'd still cut off the spammers. The actual problem is ISPs that don't care about spam. These ISPs don't deal with their spammers so how can you expect them to block port 25?
If just AOL blocked port 25, this could reduce spam by 50% (I base this figure on close examination of the headers of the spam I receive)
Funny, I base this statistic on the fact that you pulled it out of your ass. AOL has had spam problems, but they do deal with their spammers. It's ludicrous to suggest that they are responsible for half of all the spam on the Internet.
Tell me "RT Alec," how is port 25 blocking going to deal with rogue ISPs, who have a bulletproof connection through Verio? How about the clueless open relays that dot the maps of China, Brazil, and Argentina? What about for users of business DSL? Do we say, "you can't use your own corporate SMTP server, because you could be a spammer and we don't want to bother to deal with it?"
Spam Conference Reports As long as people are willing to push spam and people are willing to pull out there VISAs for products contained in spam, the problem will never go away. We need to start educating the newcomers to the internet that don't know better or help the people who can't contain themselves from impulse buys. ISPs should have a newcomers guide. What is SPAM and why you should avoid it. The work from home spammers are the equivalent of street pushers. The war on drugs hasn't been successful in stopping these criminals, what makes us think we can. They are inticed by the quick cash. And the addicts are inticed by the crap they buy. The only thing left is to fix SMTP and create end-to-end accountablility. Then sit back and wait for the next version of Spam to be developed. And start the cycle all over again.
My notes on the conference can be found at http://commons.somewhere.com/buzz/2003/Technology. Notes.from.th.html. The really quick summary--everyone's got content-filtering fever, and I think they are nuts. You're trying to filter something that is NP-complete (Javascript email) and then do natural language understanding on it? I don't think so. Just as an example, consider the following three spams I've received recently.
Content filtering is doomed.
Oh yes, about blocking port 25. This is always followed by "and then your sysadmin can run SMTP on a different port so that you can connect to it via that." And if this becomes common, how long do you think until the spammers start scanning for alternate SMTP ports and doing direct delivery? In any case, it's moot. 90% of your spam isn't being sent from this country anyway. You're not going to persuade those remote sysadmins to block outbound port 25 any more than we've managed to get them to close their open relays. This is big business and big bucks.
You can debate the fine points of Port 25, SMTP and Bayesian filters all day, but unless you make the economics of spam less attractive, you will never get a handle on it through technical means. If you compare spam to physical junk mail, you'll find that it is a *lot* cheaper to contact (annoy) 30 Million folks by email, than it is by using printed letters or catalogs. Until that changes, the spam merchants will read the same technical posts that you do, and evolve their offense as readily as you evolve your defense. Until it costs actual money to send each email on the internet, there will be absolutely no incentive for spammers to ever stop what they are doing, and if there's even a small amount of money to be made, there is always someone deep enough in poverty or sleazy enough to do what it takes to make it. If you enjoy the technical challenge of fighting spam, then by all means have a really good time, but please don't delude yourself into believing that that there is anything going on here but traditional bottom line economics. Unfortunately, there is always someone low enough on the totem pole to be perfectly happy to step up and do those dirty jobs that only exist to annoy almost everyone else.
Art