MIT Spam Conference Conclusions

RT Alec writes "The 2003 Spam Conference has concluded, reports InfoWorld. (related read: abstracts of the conference discussions). I was unable to attend the conference, but it appears all that was discussed was filters (client and server). I think the key problem is ISPs that do not block egress traffic on port 25. If you need to send mail through a different SMTP server than provided by your ISP, the admin of that server ought to provide you with a means of using it with authentication on a port other than 25 (you do have permission to use that SMTP server, don't you?). It is not too tough to set up an SMTP server to require authentication, or at a minimum to run off a different port. I am suprised that this is never mentioned as a cure for spam. If just AOL blocked port 25, this could reduce spam by 50% (I base this figure on close examination of the headers of the spam I receive). I was pleased to see that Barry Shein, president of The World (a Boston based ISP) was included in the talks. I am not sure by the abstract (see link above) posted if he mentioned blocking port 25. In a recent interview he did not mention it."

Blocking port 25 is terrible!

[IGnatius+T+Foobar]

Blocking port 25 is not the answer. It creates more problems than it solves. I am a senior sysadmin at a mid size hosting center, and we run mail services for a lot of our customers. The single biggest problem with mail is dealing with ISP's that block port 25.

Saying "oh, just run it on a different port" is not as simple as it sounds to us geeks. Sure, we offer SMTP on another port to get around those ISP's, but your typical nontechnical user doesn't even understand the problem, much less know how to apply the workaround. And during the time they can't send mail, they're blaming you. They're blaming your "broken" mail service, because the mailbox their ISP provided them with is working just fine.

So you set up the nonstandard port and tell them "point it here." Now you're wasting untold amounts of tech support time on the phone with the nontechnical users -- you have to figure out what operating system and e-mail client they're using, and hopefully it's a setup that someone in your tech support organization is familiar with. Then you have to walk them through the process of setting up SMTP on a nonstandard port, and setting up authentication if necessary. During that time, you've spent enough tech support time to make that account unprofitable this month, and the spammers have found some other way to deliver their mail anyway.

Blocking egress on port 25 is not a good solution.

Not quite

[leviramsey]

I think the key problem is ISPs that do not block egress traffic on port 25.

No, the key problem is ISPs that don't disconnect spammers and charge them for violating the AUP, as well as ISPs that don't even have anti-spam AUP's. Open relays are next on the list. True, blocking outgoing port 25 traffic on the routers might eliminate a lot of spam (not a significant amount: in my experience the majority of spams I get are from various Asian countries, though configuring Postfix to reject connection attempts from a dozen or so subnets in China has cut down drastically), but then again, dropping every packet would solve the problem even more effectively, because:

It is not too tough to set up an SMTP server... to run off a different port.

As soon as an ISP blocks port 25, any spammers using that ISP will run their spammachines off of different ports. If an ISP requires SMTP AUTH connections to their mailservers, how long before spammers start relaying through their own ISP servers? Ultimately, blocking port 25 will have no measurable effect on spamming, because if the ISP provides a means around it for sending legitimate mail, it will be abused to send spam. All your proposed remedy will do is make life difficult for those who run legitimate mailservers.

NO!

This conclusion is simply and fundamentally WRONG.

It is critical for the future of the Internet that ISPs provide unmolested IP service. When ISPs are permitted to filter anything, for any reason, you start down a slippery slope. As soon as ISPs start trying to prophylactically control what goes on through filtering, they will find new things they need to control, for "security" or "liability" reasons. This will screw the end users by changing the 'net from its current state to a choice of which ISP's walled garden you want to be trapped in -- which ISP's filtering and censoring you want to pay for the privilege of being subjected to. It also screws the ISPs -- technologically it's expensive, it creates new problems for their customer service to deal with, draws the ire of some of their customers and civil liberties types, and the more they try to filter/control/censor, the more ISPs will be legally required to (the principle behind common carrier -- if I provide a neutral and blind service, I can be exempted from being required to control many things, but if I provide a controlled service where I can know what's going on, then I'm required to use my control and knowledge to prevent certain things or I can be held as aiding those things being done)

And it won't stop the bad guys. The worst thing about the spammers is that they're just smart enough that whenever any effective anti-spam measure comes around, they just find a way around it. Yes, AOL filtering outbound port 25 today will stop a lot of spam TODAY. And guess what? The spammers will just do something else. Open -- or cracked -- proxies are the up and coming new spammer tools. Please explain to me how cutting off outbound port 25 solves that problem. Please explain to me why spammers will just go away and stop spamming because you're blocking port 25 as opposed to finding some other way to spam.

This is a solution where the users lose because they lose functionality and are likely to lose more with it as precedent. It's a solution where the ISPs lose because they incur new costs and liabilities while only temporarily slowing down spam. It's a solution where the spammers lose least of all, they've been shut out of ISPs before and they've been blocked in various ways before and they already know how to do their deeds differently if they need to.

This is a really bad idea.

I am disturbed that a bunch of supposedly clueful folks came up with this.

Re:One person's treasure is another person's junk.

[rkent]

I'm utterly confused as to why the other excellent response to this post has been marked "troll" twice.

First of all, CRM114 is just a language. Bayesian filters could just as easily be written in Perl or C. The language makes no discrimination whatsoever.

Secondly, the very point of Bayesian filtering is that it learns what you consider trash and what you consider treasure. You start with a training set of several hundred "legit" messages and several hundred spams, and it goes from there.

The reason it works so well on a person-by-person configuration is that certain phrases (eg, email addresses of people you know in the "From" header) correlate very strongly to good mail, while phrases like "click here" and "enlarge your" are almost certainly spam indicators. Everything between is personal; if you're on a BDSM list, your filter will learn that you like that stuff. Given a training set with your personal tastes, rates well in excess of 95% are possible.

Incidentally, this is why Bayesian methods aren't that great for site-wide filtering (that, and they would be tremendously slow); it's much harder to establish what a *group* of people considers to be "not spam."

Spam tracking

[fafalone]

I use e-mail autoforwarding to track spam. Every time I give my email address, I specify who I'm giving it to, ex. blah.com goes to blahcom@mydomain (anything@mydomain goes to the same hotmail box), so when I receive a spam, I can see which site sent it or sold the information, and block any e-mail coming from that site and everyone they sold it with To: line filters. Since most of the sites I wish to receive e-mail from are sites that don't spam me, this method has been successful in eliminating the vast majority of spam that I receive, down to only about 1 piece per day.

Yeah, blame the ISPs...

[Cramer]

• I think the key problem is ISPs that do not block egress traffic on port 25

And think a big part of the problem are the nuts who think filtering port 25 network wide is a viable option. Here are some real world numbers...

Router #1:
30 second input rate 21782000 bits/sec, 6210 packets/sec
30 second output rate 12294000 bits/sec, 4651 packets/sec
Router #2:
30 second input rate 7543000 bits/sec, 2133 packets/sec
30 second output rate 12182000 bits/sec, 3183 packets/sec
(and that's business traffic at 0030ET Sunday -- it goes a lot higher during business hours.)
Routers have a lot of work to do already without having to look for spam. Devices along the lines of a Packeteer could be used to perform in-line packet inspection, but that'll get old real fast.

Yes, it's perfectly doable to filter dialup users either at the ppp line or the next hop router by either explicit blocks or redirection. Many ISPs already do this. (UUNet requires it, oddly enough.) But an equal many don't. Plus, there's a growing amount of broadband in the world.

Most companies buying network connectivity and hosting their own email systems expect them to have direct control over those systems and the routing of their email in both directions. It's a simple task to set a mail server to use a "smart host", but then one is at the mercy of those controlling that server(s).

Oh, and just how exactly will this stop them from sending spam? Exactly. Simply put, it won't. It just changes the origin of the spam and maybe speed up the response time for blocking it and dealing with the user. HOWEVER, it introduces a much larger annoyance: blacklisting of the ISP server(s) and thus hundreds or thousands of companies and/or users.

Next I suppose the ISP should be looking at the email to judge it's spamliness? Well, I'm gonna have to play my lawyer card on that bit of stupidity. The instant an ISP begins any type of content filtering, most of the protective provision of various laws cease to apply. In the eyes of the law, this would be exactly the same as the post office opening all of your mail to determine and discard what they feel is "junk mail".

In the end, spam is what it is because of the [censored] creatans who think they can make money by participating in any of a growing number of scams. Basically, technology cannot protect the internet from stupid people. (esp. when the standard was constructed in a "stupid people" void. I guess we've bred better idiots.)

Re:Spamming vs. sending legit mail.

[Enigma2175]

I mean really.. what logical reason do AOL and friends have have for allowing customers on a $10/month disposeable account to connect *directly* to other people's mail servers?

I work for a small company that offers web hosting. Along with the web hosting, we give the customer mail accounts, with SMTP, POP and IMAP access. We have had numerous complaints from customers that were unable to connect to the SMTP server because thier ISP blocks port 25. Why shouldn't they be able to connect to any server they like? This is certainly legitimate traffic but it is being blocked because some jackasses send spam and other jackasses run open relays. Why should my users be blocked because of the actions of other users?

All I want from an ISP is an unfiltered network connection. Once the ISP starts filtering the service it is unlikely to stop. What is the next service to go? Surely people don't need to connect to IMAP or POP servers that are not on the ISP's network. Block 110 and 143. Better block 6346 while we're at it, as it cuts into the pocketbooks of our partners. Don't forget 22, it allows people to work on VIRUSES without the ISP being able to detect it! Pretty soon the network connections ISPs provide will be nearly nonexistent. Port 80 will be open to sites on the whitelist, and you can get a connection on 443 to sites that have registered with the ISP (and paid their tax to Verisign) but all other ports will be blocked. After all, why would anyone need to connect to any service that is not web-based? As everyone knows, 'the internet' == 'www' and connections to other services are not needed.

If I pay for internet access, I don't think it is unreasonable to expect access to all available services. Instead of harrassing the ISPs into degrading my service, how about harassing the mail server vendors to produce products that connot be configured as open relays?

Re:Spamming vs. sending legit mail.

[jdreed1024]

That's why I think the port 25 blocking needs to be for people on dynamic IP addresses (dialup, DHCP or PPPoE), and not for people on fixed IP addresses.

This will stop most luser spam, because most lusers don't have fixed IP internet connections.

Oh, that's nice of you to pass value judgements based on people's IP addresses.

I am not a "luser" (I have probably forgotten more about computing than you know), but I have a dynamic IP address simply because I don't feel like giving ATTBI another $50/month to get a static one. I also have a reason to send mails out on port 25 - I don't use my ATTBI e-mail address, I use my business one. Thus, I send my e-mail through my company's SMTP servers. I certainly have permission to do this, and a legitimate reason, so why should I be punished? I also run an SMTP server (authenticated). Sure people try and send spam though it (every day my syslog is full of Relaying Denied messages), but they fail. When they fail, their address gets blackholed (by me), and passed on to all my friends to be blackholed too).

Now, if what you meant to say was "port 25 blocking should be instituted for people on dialup addresses", I might be slightly more inclined to agree with that. There's a lot less accountability with dialup (read: modem) addresses (due to free trial accounts) than there is with cable or DSL. AT&T Worldnet, for example, drops any outgoing packets on the floor destined for port 25 on a machine other than mailhost.att.net Most of the relay attempts I see in my logs are from dialup pools.

So what is the solution? Certainly any time you institute a widespread "solution" (blackholing, port blocking, etc), innocent folks are always going to be punshed. There's lots of chatter about creating a new protocol, but guess what? If it ain't supported by Outlook, you're SOL. Whether you like it or not, no ISP is going to switch from SMTP to a protocol that will alienate a large portion of their clients. And, guess what, MS isn't going to switch from SMTP. Why? Well, at the spam conference, they said they had found the perfect algorithm to filter spam. Of course, they declined to tell us what it was...