Slashdot Mirror
FTC vs. Open SMTP Relays
HighOrbit writes "Cnet reports on news.com.com that The U.S. Federal Trade Commission, several state Attorneys General, and Australia, Canada and Japan are sending this letter (pdf) to operators of open relay mail servers to educate them on the dangers of open relays and how they help spread spam. Although the letter does not threaten direct law enforcement action, it does let open relayers know that they have been noticed and warned. The threat of being blacklisted has not worked yet, so will this finally convince mail server admins to shut down those open relays?"
I remember (fondly) a few years ago when open SMTP relays were still considered a standard setup and not a major security risk. The FTC is definitely doing the right thing in alerting admins to the risks they are taking and helping them to learn how to better protect their infrastructure, as well as the burden it inevitably places on the rest of the internet community when a spammer eventually finds their open relay and shares it with others. Kudos...
just out of curosity, why would any mail admin want to have an open relay? it must cost the isp time and money as well as make them look bad to the community in general. even those who do support spammers for profit, even they must have some sort of authentication?
all this time thinking its just horrible admins who dont know how to do their job, or are to lazy to do it right
I think this letter is a good way to let ISPs know that big-bro is watching. The letter did not threaten, it only offered advice. But the casual use of "law enforcement" does give the letter just enough bite to be worry some.
:)
Good job (i don't say that too often about my gov...
"Those who make peaceful revolution impossible, make violent revolution inevitable" - JFK
Maybe if the threat hasn't worked then they should actually be blacklisted?
My next sig will be ready soon, but subscribers can beat the rush
Smart businesses relay email only between SMTP servers within their company's domain. Email from outside the domain can be deposited in your mailbox. But email from outside the domain, that is not addressed to a mailbox within the domain, is bounced back to the originating domain with a Nondelivery Receipt (NDR).
Unfortunately, there are many incompetent system administrators that have configured their SMTP servers to relay email for everyone, not just those in the local domain. Spammers use these open relays on the Internet to send millions of unsolicited messages.
Stopping SPAM is not difficult. If every system administrator configured their SMTP servers routing restrictions to not relay email for everyone, spammers would not be able to steal server resources that we all pay for. These inept system administrators should learn how to specify which domains they will allow to relay messages through their servers.
I am heartened to see that people in government are taking spam seriously as the destructive thing it is (for me, it has made email substantially less useful than it once was). That said, this measure does not seem like it's going to make a big difference by itself. There are just too many open relays, and too many users who don't have the knowledge, time or ability to properly fix things.
It seems things have degenerated to the point that a more drastic solution will be required (such as the email tax we've heard about).
(I am considering rotating my true email address weekly so that email to be gets a bounce message to request it be re-sent to the properly weekly destination. Horrible but maybe better than getting all that crap.)
The threat of being blacklisted has not worked yet, so will this finally convince mail server admins to shut down those open relays?"
I seriously doubt it. The one time that I informed a sysadmin that he had an open relay I got back a long e-mail on how "this is the way the internet works", that may have been true in times past but it certainly was no longer true in 1996, and it even seemed a bit snotty.
Now these guys are going to get a letter from the 'lowley' government? LOL, unless it comes from Bill Gates, in most cases, or Linus in others, they will blow it off or try to have a stupid flamewar.
Eve Fairbanks says I drive a hybrid!LOL
You guys want your cake and eat it too. You piss and moan everyday about the "evil gubmint" and their excessive involvement in everything. Then you get your own pork project on the governments radar, in this case spam, and you are overjoyed.
Now the government is starting to look at the spam problem and, if they address it at all, they will deal with it in the typical screwed up clueless and heavy handed fashion that you so love to bitch about.
Make up your minds. If the government is so bad and should keep its hands off the internet then it should keep out of all aspects of the internet. You can't expect to use the government for your own bidding while at the same time keeping them out of your business. After all, that's what everybody else does and you've been bitching about it for years.
It seems to me that if you knowingly allow your server to be used in this way, and the various anti-spam laws go through, that you would be guilty of negligence (civil, not criminal). You could be successfully sued by the spamees (?). Most people wouldn't be subject to these charges, since negligence requires knowledge of the event (spamming) and a reasonable responsibility (and ability, I think) to prevent it. Once you are aware that your system is being used, you'd be negligent not to take reasonable efforts (authentication) to prevent it...
"Faith: Belief without evidence in what is told by one who speaks without knowledge, of things without parallel." - A.B.
Right now, 70% of all the mail that arrives at our domains is spam. Perhaps half of that gets filtered, but that still leaves an uncomfortably large amount.
RedHat did a good thing by disabling sendmail receive/sending on default installs of 8.0 and forward. Now if they would only turn off portmapper and a few other things...
Newsfollow.com
What a great idea! I say we apply this logic on a scale where it will really do some good!
Sue the US government for having open borders that allowed terrorists to enter my country and commit their atrocities.
Sue the maintainers of BUGTRAQ and similar resources for breaking the security-by-obscurity that was working so well for so long for all of us.
Sue slashdot for maintaining an open forum for anyone with enough electricity dancing through their nervous system to cause them to bash the keyboard in mute fury a few times and click "Submit."
I support the intent of this letter, but do we really want the government to start going after third party mail server operators? It seems like a real slippery slope of government regulation and intervention. Better get that sendmail.cf file perfect the first time or Big Brother will come knocking to straighten you out!
I would prefer if the FTC spent their time going after the spammers, which are the real problem.
Sometimes, the fact that the gov't says "don't do that" vs Roman Kazan of escape.com (he sux0rs) holds more weight. It's the same respect you show a cop than say, some random stranger. The source of a request always affects how you answer.
Guys, how many times did you let some really cute chick ahead of you vs some random guy? Women, how many times do you do something a little nicer towards a nice looking guy vs some random 15-year old hs'er. There are exceptions to the rules, I know.
-
ping -f 255.255.255.255 # if only
Why warn? What kind of people are being warned? People who are either incompetent or ignorant? Is that who we are willing to allow administrate part of the Internet?
Not me. Close 'em down. Period. Now.
--Richard
Why keep them open? Why would a spamhouse want to share its resources? I'm sure they just distribute their load so isp's don't complain about bandwidth, switch around often, find spam-friendly isp's, etc..
-
ping -f 255.255.255.255 # if only
I value anonymity as much as the next guy, but I spent 6 hours of my work day today trying to sort through nearly 30,000 received by my company. I'm creating a DB for Spam/Ham so with a little script, I can show my bosses how effective a bayesian filter can be and I can get on with my life.
...) for a lot of things. My work email is for just that: work. My home email is for friends and family. My hotmail is for everything else. You can still have anonymity and be regulated. I heard a rumor recently that Hotmail put limits on the number of mails you can send a day (I think it was 100) and the number of TO:, CC:, and BCC:s you can have (again, i think 100). This still allows us Joe Users to send what mail we need to anonymously, but still makes spamming from them difficult (but not impossible).
I prefer to use anonymous mail (hotmail, yahoo, etc
-Ab
Nothing fails quite like prayer.
What you're seeing is many people here who usually complain about the "evil gubmint" saying they finally got something right. This is a rare moment when the gubmint didn't jump in and write tons of outragious legislation. What us "slashdotters" (I hate that word) are saying is "Yeah, you guys usually screw up, but by sending just an informative letter you've finally done something right. Let's hope you keep up the good work." Intelligent people make up their minds on a case-by-case basis. Yes, many here think the government is often bad, but at least many also recognize when something's done right.
Developers: We can use your help.
What you're saying is that if you know someone's email address you can send them email.
It's called SMTP.
The real problem? Wierd foreign programmers who don't understand How Things Work and moreover don't care,(...)
You do realize that in the large perspective - in which the Internet should be seen - it is you that are foreign, don't you ?
If you are so clever and understand How Things Work, why didn't you just shut the relays down and implement a solution that worked ?
Oh, I can't help quoting you because everything that you said rings true
The real problem? Wierd foreign programmers who don't understand How Things Work
Yeah, sum of them ferners donnt evn now ho to spell "weird."
It's not where they're from, it's how (poorly) they're trained. And take my word for it, there are good flag-waving 'Merikuns who are just as poorly trained.
I hate to say it, but the series premiere of the short lived "Lone Gunmen" series stated it best. I will paraphrase here:
The government is not a single, unified entity with thousands of members acting towards the same goals. It is a collection of institutions each with their own goals and agendas, often operating at cross purposes.
To move beyond the point above, the FTC is as splintered as the rest of the government. It's starting to use the existing laws to go after SPAM, which is good. However, the portions of the FTC responsible for the whole High Definition Television mess is doing a less than spectacular job. The odds are good that the people involved in one project are not the same people involved with the other. Hell, each "Project" as I described above most likely consists of dozens of smaller units, no doubt mired in the same political issues as the organization as a whole.
Some people in the government are doing good things, others are doing bad things, most are just doing their functionary but morally neutral jobs.
The US Government is not "Evil" or "Good," and trying to paint it as one or the other is short sighted, childish and smacks of blind zealotry.
Please stop trying to see the world as black and white / good and evil. The real world is far more complex than that, as are the institutions that function within it.
One last example: Sony. Go through the Slashdot archives, and you'll find stories where they're the her, and stories where they're the villain. This is a reflection on the way actions of specific groups within the company were perceived, not on the "Evil" or "Good" nature of the company as a whole. Slashdot is not failing to "Make up its mind" but is reflecting the fact that sometimes a company does good things, and sometimes it does bad things.
And by the way, contrary to popular belief, Slashdot does not have one "Mind" to make up on any issue. It too, is a collection of individuals with their own agendas, views and opinions. If you are expecting any kind of unity of Slashdot users on any one topic, then you are insulting the intelligence of said users. We are individuals. This site has readers who love the Government and never question it's actions, and people who hat it with every fiber of their being. The site also has people at every level between the extremes.
"Love your country unconditionally. Love your government only when it deserves it." -- Mark Twain
"Live Free or Die." Don't like it? Then keep out of the USA
Pardon my conspiracy theory, but it may very well be that these "innocent" open relays are in fact sponsored by spam clearinghouses, in which case server admins have monetary incentive to NOT close their relays.
Hanlon's Razor: "Never attribute to malice that which can be adequately explained by stupidity."
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Given the way cyber crimes are treated these days(it wouldn't take much given the current legislation to say something like "open relays give terrorists the opportunity for untraceable communication" or something), the penalty for being on this list is probably going to be something which is at least termination of either your isp account or your job(if you're an admin), and possibly actual criminal liability.
Not to mention the fact that it might go through some people's heads that if the govt can't charge them with something for their open relay, they might be tempted to say, investigate their companies tax records/software license/etc which very few companies want happening.
The threat of being blacklisted has not worked yet, so will this finally convince mail server admins to shut down those open relays?
Well for Fred's sake, if the threat of being blacklisted hasn't worked, then how the hell "attempting to educate them" will?
Then it would cut down on the unintentional blocking of innocent emails. It is a sad fact that when an open relay gets blacklisted, innoncent users of said relay are suddenly unable to send email. I understand why people use blacklists, and in some ways I agree with it. If your ISP got blacklisted because of an open relay, would you call and complain/take your business elsewhere? Blacklists hurt the companies where it hurts, the bottom line. By sending out those letters, I think that it would bring admins to attention. It always astounds me the number of clueless admins out there, and I'm sure that some of those open relays are accidental. That letter might cause them to wake up and do their job the way their supposed too. There will always be some open relays, but more and more of those will just get blacklisted at an ever increasing rate as their numbers shrink. Worst comes to worst, we can always send in the Marines and take them over.
Now, if that makes sense to anyone, could you please explain it to me? I think I've confused myself.
If they would just reject any mail with forged headers I believe 75% of spam woudld stop, and the other 25% would be easy to track down.
Two words: SMTP Authentication. Is this really such a hard concept?
I work from home and use my corporate SMTP server all the time, without them needing to run it as an open relay. Even my ISP (the cable company) has enabled SMTP Auth.
I use Macs to up my productivity, so up yours Microsoft!