Slashdot Mirror
Ask ISP Owner Barry Shein About the Spam Wars
Spam sucks. But it's worse for ISPs than for the rest of us, because they get bounces and complaints and other behind-the-scenes spam-caused messes the rest of us don't see. AOL talks of spam as "public enemy number one." Barry Shein, who started (and still runs) the world's first full-service dialup ISP, likens spammers to organized criminals, and calls spam "an organized, vicious, sociopathic thing" in this article, which spurred an interesting Slashdot discussion. So what should we do about spam? Ask Barry. One question per post, please. We'll post his answers to 10 of the highest-moderated questions sometime in the next week or so.
If I was the president of the company that makes Viagra I'd be nervous.
Ah, here is the reference. Diplomat shot dead in Prague
Two words: Joe job.
Your figures are totally incorrect. You obviously don't run your own mail server (or if you do, spammers have never found you).
For a start, ISP's get hit every day with repeated dictionary attacks where a spammer tries thousands of common usernames for each domain the ISP hosts. The sending hosts (usually a number of raped proxies) pipelines the SMTP sessions and doesn't wait for a response. Every single one of those emails chews up CPU, memory and disk space. It's a non-stop attack on your mail server queues.
When they get a miss, sendmail bounces the email to the postmaster and tries to deliver a bounce message to the forged FROM address, so your queues and disk fill up for days with this crap.
When they get a hit, it's even more disk space chewed up until the user downloads them. Some spammers are embedding HTML and graphics in their spam as well, so they are getting larger and larger.
I don't know where you saw 2-5% spam content. Most ISP's are seeing ten times that, unless they employ agressive filters which may be ideal for people who run their own domains but can be problematic for ISP's.
spam works... that's the root of the problem.
do you think there is anything that can combat this?
simply telling people that nothing will add three inches may not work as well as we hope for... stupid people are gullible.
Runnin' On Empty
Sure - actual costs of disk space and such is pretty low. After all, you can get 120 GB for 100 bucks these days, and spam is pretty small in size. But how about having to upgrade a server because it's too busy handling spam? Or the time it takes me to sift through 500 spams for real mail in case I have a false-positive (as I do)? Or the cost of me having to set up all sorts of anti-spam filters to block it? How about the fact that I have to back up my server to tape, and a lot of those mail spools are spam. There's a lot more to the cost of SPAM than disk and network usage alone. It takes them an hour to set up the list, the content, and then the programs blast out spam. Cost to them: Minimal. Cost to me: enormous. Cost to my coworkers: enormous. I've got the order to stop spam, but not lose mail. Fun!
Silently dropping email with no bounce message is a problem resulting from a misconfigured mailer.
This has nothing to do with SPEWS, or spam for that matter. Every spam blocking list I've ever seen identifies itself during the SMTP exchange, which should cause a bounce message on your end.
If you have indeed seen this, you should contact the site operator and let them know about the problem. If they are producing the correct SMTP message, then it's a problem with the MTA on your end.
I'm not convinced TMDA will be sufficient to thwart spammers if they only have to reply to a verification message to get their message delivered. It seems TMDA is depending on the assumption that a spammer's address is invalid immediately after the spammer sends a message and has no associated email account. This may often be the case now, but may not be the case once TMDA becomes popular.
Ever sign up for a free account for something on a web site, and it said they'll send you a confirmation e-mail with a link you have to click on to verify your e-mail address? It's a very common technique that works very well.
Except that it won't work if I whitelist my mail. I'd have to add the site to my whitelist before they send me anything, and I don't know where the mail will be coming from. Since it's an automated system, a response from a whitelist system won't be seen by a real human.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I used to work at a small ISP, before it got taken over by a bigger clueless one.
We were using postfix ( http://www.postfix.org ) with PCRE support.
Incoming mail was first passed through a few DNSBLs (ordb, wirehub.nl and relays.osirusoft.com)
We had all mails checked through a simple regex body check, which looked for a few keywords like US1918 and phrases like "To unsubscribe please click". These were bounced (at that time Postfix didn't have the lovely discard keyword).
We used regular expressions from the postfix site to additionally capture spam.
We blocked outbound port 25/tcp to force dialup and cable users to relay through our servers (so that we had logs).We had no limits on how many iusers you sent mail to, but if you were complained about with proof as headers, then the logs got checked and the user terminated.
Also, you could use any identity you liked (we didn't have the from user@our.domain limitation).
Additionally, I had log parsers which watched for connections coming in from ips and notifying me when they would go above limits within certain time periods. This was mostly useful in catching virus infected machines.
Today, I would run amavisd-new with clamav (http://clamav.elektrapro.com) for this.
I had about 5-6 false positives with this for about 9000 users with about 20K mails/day.
Mail to postmaster@our.domain, abuse@our.domain was exempt from all checks.
Using blacklists saved about 5% of our bandwidth, which in USD would have been about 50000 USD.
It should be easy enough to write a Perl script to read your logs and throttle customers down to a maximum rate.
I can throw myself at the ground, and miss.
That's all find and dandy.... but can you find the spammers? Try it sometimes. Unless you're a law enforcement agency with a warrent, you just cannot get the ISP to go through their mail logs with you, to match up an IP address to an account or back towards the source of the spammer.
Unless we can easily get access to this information, then tracking them back through the mail path is an exercise in futility.
Go after their domain names and web hosting service. Almost ALL spam advertises web sites. 90% of them use every trick in the book to obscure the REAL domain. Some browsers display it, other's don't. But if you can get their site domain name, thats the best place to start.
Using "register.com" you can get the Admin and technical contact person owning that domain. Domain registrys take a dim view of people giving the Domain name resellers false and bugus informaion, and if you find it bogus, and complain, then in 2 weeks their domain name is history. You would be amazed at how many "whois" queries have wrong information. MOST is just outdated, but a surprising amount is intentional.
Unfortunately, spammers don't care. The average lifetime of a site advertized by a spammer is about 2 - 3 weeks anyway, and now, most of the links have raw IP addresses or encoded in a form to be unreadable. These are usually "relay" sites that then relay to yet another server to give the spammers one more "layer" of protection, making them that much harder to find.
So far, the Domain name resellers have been pretty good about enforcing their usage policies, and are quick to respond to these complaints.
If spammers suddenly realize their domains are going to get shut down unless they provide the Domain venders VALID contact information, then they are going to loose Web Identity, and bookmarks are going to "break", perhaps they might then realise that by providing VALID contact info might be good business practice. But I know of no spammer that ever does that.
When you DO complain, identify the domain name, state your claim the "whois" info is false, and they usually send you a "tracking number" or URL. Clicking on that will give you periodic actions they took against the owner. They usually try the numbers and emails in the "whois", and if false, they usually pull their domains immediately.
The IP addresses in email headers are valid, until you trace back past one that can't be trusted (it's malicious, or it's misconfigured, etc). Now, if this one can't be trusted to make sure it only forwards mail it's supposed to, why should it be trusted to correctly enforce any other new scheme?
It seems like what you actually want is some sort of end-to-end scheme where the sender and the recipient are sure of each other's identity. You can do this already, using software like PGP - the sender signs the message, and encrypts it using the recipients public key.