Slashdot Mirror
FTC vs. Open SMTP Relays
HighOrbit writes "Cnet reports on news.com.com that The U.S. Federal Trade Commission, several state Attorneys General, and Australia, Canada and Japan are sending this letter (pdf) to operators of open relay mail servers to educate them on the dangers of open relays and how they help spread spam. Although the letter does not threaten direct law enforcement action, it does let open relayers know that they have been noticed and warned. The threat of being blacklisted has not worked yet, so will this finally convince mail server admins to shut down those open relays?"
How am I supposed to find out about herbal viagra, hot co-eds, batteryless flashlights or stainless steel if this succeeds?
I'm going to write my Member of Parliament about this.
Trolling is a art,
I remember (fondly) a few years ago when open SMTP relays were still considered a standard setup and not a major security risk. The FTC is definitely doing the right thing in alerting admins to the risks they are taking and helping them to learn how to better protect their infrastructure, as well as the burden it inevitably places on the rest of the internet community when a spammer eventually finds their open relay and shares it with others. Kudos...
... alot of IBM AIX customers are going to get this letter:
0 03 -05-13/2003-05-19/0
http://www.securityfocus.com/archive/1/321307/2
[Got Hosting?]
just out of curosity, why would any mail admin want to have an open relay? it must cost the isp time and money as well as make them look bad to the community in general. even those who do support spammers for profit, even they must have some sort of authentication?
all this time thinking its just horrible admins who dont know how to do their job, or are to lazy to do it right
I'm thinking most of these letters will be filed in the round bin.
50% of the people recieving the letter will be the wrong person and not have a clue what it is.
10% will read it and panic, but ultimately it won't get to the sysadmin and nothing will change
20% will have some obscure reasons for using open relays
and 20% of all statistics are made up as they are typed.
Gibble: Descriptive of an emotional state in which one's mind is scrabbling for some purchase on reality
Maybe I'm the only one that had this train of thought, but I'll put it here anyways. I, personally, run a home-based server that runs many services (web, ftp, SMTP and POP3 are some of them).
The threat of being blacklisted would make me change my ways, as I have nothing to gain and everything to lose should that happen. I would presume the same is true for most sys admins out there, who run *honest* servers.
Now let's say that the few "Open Relay" servers that are left are threatened, but they don't take action. Pardon my conspiracy theory, but it may very well be that these "innocent" open relays are in fact sponsored by spam clearinghouses, in which case server admins have monetary incentive to NOT close their relays.
I'd imagine the few open relays that are left are supported by spammers in some way, as they are key in spreading spam, and most people don't want spam passing through their systems anyway, so any anti-spam person would probably close their relays as soon as they are first notified.
So to relate this to the article, I'd say that a letter from the FTC that doesn't threaten *legal* action will provide no more incentive to these system administrators to close the relays; thus the letters become little more than a waste of paper...
Just my thoughts on the matter.
I think this letter is a good way to let ISPs know that big-bro is watching. The letter did not threaten, it only offered advice. But the casual use of "law enforcement" does give the letter just enough bite to be worry some.
:)
Good job (i don't say that too often about my gov...
"Those who make peaceful revolution impossible, make violent revolution inevitable" - JFK
Maybe if the threat hasn't worked then they should actually be blacklisted?
My next sig will be ready soon, but subscribers can beat the rush
I'm really glad to see the Texas seal on this document. It's really disturbed me to see Texas just standing by and ignoring the spam problem. I personally think any spammers caught in-state should be roped and dragged to the middle town to let the people decide what to do with them. We're already proud to be #1 in executions, cowboy justice would just up our position.
The preceding post was not a Slashvertisement.
I am heartened to see that people in government are taking spam seriously as the destructive thing it is (for me, it has made email substantially less useful than it once was). That said, this measure does not seem like it's going to make a big difference by itself. There are just too many open relays, and too many users who don't have the knowledge, time or ability to properly fix things.
It seems things have degenerated to the point that a more drastic solution will be required (such as the email tax we've heard about).
(I am considering rotating my true email address weekly so that email to be gets a bounce message to request it be re-sent to the properly weekly destination. Horrible but maybe better than getting all that crap.)
Rumor has it that there's a whole bunch of open relays out there which are owned by the spamhausen. (I'd love to see some evidence to the contrary, but that's asking proof of a negative, so I won't hold my breath.) If we accept that rumor as fact for the sake of argument, all the FTC letter is going to do is tell said spamhausen that their crap is getting to the target audiences, and they'll happily redouble their efforts.
It's been said before, but it's worth repeating. The best way to eliminate spam is not to go after the machines (and coincidentally the people in charge of the care and feeding of them). Go after the people and companies hiring the spamhausen...the ones pushing their "herbal Viagara" (sic), pr0n, better mortgage rates, and so forth down the wire and into our overloaded mail accounts. Take away the revenue stream, and all those open relays will go idle until someone puts them to better use (for example, Quake 3 servers).
Just my two cents' worth...save up the change for a root beer or something.
All the world's an analog stage, and digital circuits play only bit parts.
Signed by (among others) the attorneys general of Texas, Louisiana, Oklahoma, Arkansas, and New Mexico. Where are the states that are sterotypically tech-savvy? Where's Washington? Where's California? Why are southern states taking the lead on this? I'd think it was just a regional US thing if it weren't for the international signatures on there. Is it easier to get international agreement than interstate agreement? Seriously, what gives here?
The threat of being blacklisted has not worked yet, so will this finally convince mail server admins to shut down those open relays?"
I seriously doubt it. The one time that I informed a sysadmin that he had an open relay I got back a long e-mail on how "this is the way the internet works", that may have been true in times past but it certainly was no longer true in 1996, and it even seemed a bit snotty.
Now these guys are going to get a letter from the 'lowley' government? LOL, unless it comes from Bill Gates, in most cases, or Linus in others, they will blow it off or try to have a stupid flamewar.
Eve Fairbanks says I drive a hybrid!LOL
The open relays that are most commonly abused are overseas. Hong Kong, South Korea, China, India.
What's the FTC going to do to them, lock them up in Guantamino bay??
Press any key to continue, any other key to quit.
Imagine my utter surprise when I returned from running to the PO and Baja Fresh, during lunch, hit [Get Msgs] and Nothing was there to download!!!
I've been getting from 120-180 Ralsky-grams a day and nothing in the space of 45 minutes is downright unbelievable. I zipped over to the news to see if his house had been raided or he'd been kill by an irate sysadmin. Nothing on the news about it, maybe something is happening? If so, he and his animal food trough wiper friends will probably take a little while to shift over to some other sites and get caught up.
A feeling of having made the same mistake before: Deja Foobar
Right now, 70% of all the mail that arrives at our domains is spam. Perhaps half of that gets filtered, but that still leaves an uncomfortably large amount.
RedHat did a good thing by disabling sendmail receive/sending on default installs of 8.0 and forward. Now if they would only turn off portmapper and a few other things...
Newsfollow.com
What a great idea! I say we apply this logic on a scale where it will really do some good!
Sue the US government for having open borders that allowed terrorists to enter my country and commit their atrocities.
Sue the maintainers of BUGTRAQ and similar resources for breaking the security-by-obscurity that was working so well for so long for all of us.
Sue slashdot for maintaining an open forum for anyone with enough electricity dancing through their nervous system to cause them to bash the keyboard in mute fury a few times and click "Submit."
I support the intent of this letter, but do we really want the government to start going after third party mail server operators? It seems like a real slippery slope of government regulation and intervention. Better get that sendmail.cf file perfect the first time or Big Brother will come knocking to straighten you out!
I would prefer if the FTC spent their time going after the spammers, which are the real problem.
How, exactly, is the parent off-topic. Redundant perhaps, but not off-topic.
Anyway, I'm glad to hear this. In the last 12 months or so, my e-mail has gone from at most 4 or 5 spam messages a day to at least 25 each day, without my changing my online habits (w/ regard to who gets my e-mail address) in any significant way.
my pet machine
Why warn? What kind of people are being warned? People who are either incompetent or ignorant? Is that who we are willing to allow administrate part of the Internet?
Not me. Close 'em down. Period. Now.
--Richard
The real problem? Wierd foreign programmers who don't understand How Things Work and moreover don't care, and executives that just want a working system and to hell with being a good netizen.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
"so will this finally convince mail server admins to shut down those open relays"
I've been convinced for a while... I just haven't figured out the sendmail config syntax yet
R$* . $| $* $: $1 $| $2
R$*.dialup.$* $| DIALUP $@ DIALUP
Rdialup.$* $| DIALUP $@ DIALUP
R$* $| $* $: $(Spam $1 $:NOMATCH $| $1 $) $| $2
RNOMATCH $| $+ . $* $| $* $: $>lookat_domain $2 $| $3
R$* $| $* $@ $>comp_value $1 $| $2
"R$". What The ????
I value anonymity as much as the next guy, but I spent 6 hours of my work day today trying to sort through nearly 30,000 received by my company. I'm creating a DB for Spam/Ham so with a little script, I can show my bosses how effective a bayesian filter can be and I can get on with my life.
...) for a lot of things. My work email is for just that: work. My home email is for friends and family. My hotmail is for everything else. You can still have anonymity and be regulated. I heard a rumor recently that Hotmail put limits on the number of mails you can send a day (I think it was 100) and the number of TO:, CC:, and BCC:s you can have (again, i think 100). This still allows us Joe Users to send what mail we need to anonymously, but still makes spamming from them difficult (but not impossible).
I prefer to use anonymous mail (hotmail, yahoo, etc
-Ab
Nothing fails quite like prayer.
It's a protocol problem. SMTP is never going to be good enough. For example, I run qmail, courier, horde/imp. To keep it from being an open relay I use relay-ctrl. However in my testing (to make sure it wasn't open) I found a few very interesting things. On 99% of email servers if you know how to properly input the mail headers you can send anyone an email on that server.
... in conjunction with the OSS community) it would (theoretically) solve a growing problem.
;^)
Granted this isn't an open relay but if you have a list of everyone at intel (or not just figure out their email addresses via a web search). You could easily email all of them anything you wanted (as the spammer) only using their own mail server. I havent tried this on a lot of servers but I have a very high success rate (I only try it with my friends accounts on different servers and I let them know ahead of time so they aren't confused).
This just helps make my point. Non authenticated SMTP is killing the internet. If the big whigs would come out with a new OPEN protocol (AOL, MSN, Earthlink,
It would be good for the software makers of email clients/servers as well because they could sell an entirely new set of software.
I guess I'm just idealistic. I think it can be done.
Then again, if one more damn tornado gets within 2 miles of me I may move to Colorado (like all the Californians! lol
Shutting down OpenRelays will have a negligable effect on Spam, since any Internet connected computer can send tens of thousands of spams before anyone would even notice.
Also, there may be legitimate reasons to have OpenRelays. Much like there are legitimate reasons to have DVD copying software. Maybe only a few good reasons, but enough that they should not be banned outright.
The only legal action that these legal folks should be taking is against those spammers using deceptive practices, which is about all of them these days. For instance the false sender information and the innability to be removed from the list. Life was okay when you could get removed from a mailing list and you really wouldn't get any more spam from them, but now they just use it as a confirmation that the email is active and to send more email.
Open SMTP relays are not the problem any more than Open Routers are. Find the individuals that are sending these things and you will stop the problem.
What you're seeing is many people here who usually complain about the "evil gubmint" saying they finally got something right. This is a rare moment when the gubmint didn't jump in and write tons of outragious legislation. What us "slashdotters" (I hate that word) are saying is "Yeah, you guys usually screw up, but by sending just an informative letter you've finally done something right. Let's hope you keep up the good work." Intelligent people make up their minds on a case-by-case basis. Yes, many here think the government is often bad, but at least many also recognize when something's done right.
Developers: We can use your help.
For those of you interested I posted more code for the honeymail project.
honeymail
Which is an anti-spam opensource forked SMTP server.
anime+manga together at last.. in real time.
The FTC should send their PDF letter to postmaster@<open-relay-host>. However, it may get lost with all the spam flowing through there, so the FTC should send many copies over and over and over and over again to that host. Now, the FTC may not have the resources to send all that email, so that's where you, Joe Netizen, can help out. Send copies of the FTC PDF to the open-relay server. It doesn't matter if your emails bounce; just manipulate the sender address to bounce it back to the open-relay server.
Seems to me, this is a simple problem that can be solved very easily. The open relay is a free resource. Good netizens don't use them, so there's just more resources available to the spammer. If the open relay's resources are all tied up receiving and bouncing the FTC PDF, there's just that much less left to the spammer.
Eventually, the owner of the open-relay will get tired of having his machine wedged and will be forced to close it. Problem solved.
Watch, for their next letter, they're going to warn about the dangers of using Microsoft products!
I hate to say it, but the series premiere of the short lived "Lone Gunmen" series stated it best. I will paraphrase here:
The government is not a single, unified entity with thousands of members acting towards the same goals. It is a collection of institutions each with their own goals and agendas, often operating at cross purposes.
To move beyond the point above, the FTC is as splintered as the rest of the government. It's starting to use the existing laws to go after SPAM, which is good. However, the portions of the FTC responsible for the whole High Definition Television mess is doing a less than spectacular job. The odds are good that the people involved in one project are not the same people involved with the other. Hell, each "Project" as I described above most likely consists of dozens of smaller units, no doubt mired in the same political issues as the organization as a whole.
Some people in the government are doing good things, others are doing bad things, most are just doing their functionary but morally neutral jobs.
The US Government is not "Evil" or "Good," and trying to paint it as one or the other is short sighted, childish and smacks of blind zealotry.
Please stop trying to see the world as black and white / good and evil. The real world is far more complex than that, as are the institutions that function within it.
One last example: Sony. Go through the Slashdot archives, and you'll find stories where they're the her, and stories where they're the villain. This is a reflection on the way actions of specific groups within the company were perceived, not on the "Evil" or "Good" nature of the company as a whole. Slashdot is not failing to "Make up its mind" but is reflecting the fact that sometimes a company does good things, and sometimes it does bad things.
And by the way, contrary to popular belief, Slashdot does not have one "Mind" to make up on any issue. It too, is a collection of individuals with their own agendas, views and opinions. If you are expecting any kind of unity of Slashdot users on any one topic, then you are insulting the intelligence of said users. We are individuals. This site has readers who love the Government and never question it's actions, and people who hat it with every fiber of their being. The site also has people at every level between the extremes.
"Love your country unconditionally. Love your government only when it deserves it." -- Mark Twain
"Live Free or Die." Don't like it? Then keep out of the USA
This doesn't make me a hypocrite. It makes me able to appreciate different factors of things and evaluate them all seperately as a basis for rating the whole. To suggest that because I hat one part of one thing means that I MUST hate the rest is ludicrous. To suggest even more that because I disliked something in the past, that I must dislike it forever is even worse. Under that theory, I'd still hate beer (mmm
Things change, people change.
-Ab
Nothing fails quite like prayer.
Hrrrm. It's actually a bit more difficult than that. Spammers actively look for ways around non-relaying servers, especially in this day of web-based mail forms. We had an incident where a spammer discovered that a poorly coded cgi-form would allow different e-mail addresses to be sent using our web-based mail submittal form. Even though the server was secured against relaying, it wasn't secured against receiving thousands of submittals through its web form. We only noticed it when someone complained to our ISP, who forwarded the notice on to us. We patched it up and sent an apology to our ISP and the original complainer.
Moral of the story - don't give up complaing to an ISP about spam. You may actually get them to do something about it.
The threat of being blacklisted has not worked yet, so will this finally convince mail server admins to shut down those open relays?
Well for Fred's sake, if the threat of being blacklisted hasn't worked, then how the hell "attempting to educate them" will?
Then it would cut down on the unintentional blocking of innocent emails. It is a sad fact that when an open relay gets blacklisted, innoncent users of said relay are suddenly unable to send email. I understand why people use blacklists, and in some ways I agree with it. If your ISP got blacklisted because of an open relay, would you call and complain/take your business elsewhere? Blacklists hurt the companies where it hurts, the bottom line. By sending out those letters, I think that it would bring admins to attention. It always astounds me the number of clueless admins out there, and I'm sure that some of those open relays are accidental. That letter might cause them to wake up and do their job the way their supposed too. There will always be some open relays, but more and more of those will just get blacklisted at an ever increasing rate as their numbers shrink. Worst comes to worst, we can always send in the Marines and take them over.
Now, if that makes sense to anyone, could you please explain it to me? I think I've confused myself.
Here are some articles covering proxy abuse and the Sobig virus/Spam connection which detail some of the current techniques of spammers and how to fight them.
I hate to say it, but this isn't nearly as much work as you might think. All it takes is a little special coding and some database maintenance -- something serious spammers would be more than willing to do. By maintaining a table of mail servers for each domain, a program could easily be created that scans through the list of email addresses, selects the correct mail server for its domain and then routes the email directly through that server. The most work would be maintaining the table of mail servers, but they could just target the big ones like Earthlink, AOL, MSN, Yahoo, Hotmail, etc. If this ever happens, you may see a rise in the popularity of Ma & Pa ISPs again.
On a good note, spammers who directly route through the recipient's mail server will be much easier to track down -- unless they break into another computer system to do their dirty work.
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
Who is this collective "you" that you're talking about? Do you realize that you're in a big room, eavesdropping on a thousand conversations, and you really don't know exactly who is expressing each individual opinion that you hear?
If I say that I like to eat a good steak, and someone else says that "meat is murder", neither of us is guilty of hypocrisy just because we were both in the same room when we uttered our opinions.
That's the way it works in the real world, and it's the way it works in "virtual rooms" like slashdot. I'm sorry, but you are going to have to stop thinking of online forums as one large group of clones with identical programming.
Unless you can specifically find a fixed individual who has uttered incongruous statements, you have no grounds for your complaint. And even when you do, your complaint is only valid with respect to that individual...not everybody else who happens to be there at the time.
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
"Come on, you don't mean that. If somebody sneaks into your house while you're not looking, "borrows" your gun, goes out an kills somebody, you're responsible? You could be accused of negligence but you're not really responsible for the killing"
Here in Calif. unless you lock it up, with an approved security device or trigger guard YES you are and can be held responsible for gross negligence and possible homicide...no one has taken the homicide charge yet buty there have been cases of negligence enforced I believe...
I agree with you on the Key issue regarding email though...
errr....umm...*whooosh* *whoosh* Is this thing on ?
I think that the open relay problem requires a multi-facited approach. IMHO, the open relays break down into several categories that require different solutions.
1. Legitimate mail servers that are open because of old software installs that haven't been updated, perhaps because that's a low priority. Here, education is a good first step, but threatening to blacklist them and actually following through if necessary will do the trick.
2. Legitimate mail servers that are open because they're running very old software that's difficult to patch because of its age. Here, the admin may know that there's a problem, but he or she doesn't have the time to dig around for hard-to-find fixes, and retiring the old machine might not be an immediate option. MAPS has a good idea with its list of patches for various MTAs. I tended to get more successful communications with admins when I told them that MAPS had these resources for them to use. FYI, here's the link.
http://www.mail-abuse.org/tsi/ar-fix.html
3. Machines that are running MTAs but aren't an organization's real mail servers. These would be around because someone did an OS install that didn't really need a mail server, but they put it in anyway, then promptly forgot about it. They may not even know what they did. In this case, blacklisting that server doesn't mean much. Whoever administers the official mail servers could care less because that isn't a machine that is their official server, so why should they care? This could be a problem in a large organization, where you may have a bunch of uninformed bozos setting these things up faster than you can blacklist them. In this case, the only way to get results is to just blacklist the organization's entire IP space. Yes, I know that this would impact the real mail servers, which may be secure, but it'd also get the admins to take note and apply a clue-stick to the ones throwing insecure machines onto the network.
4. Servers with admins who don't speak English. Having informative material available in different languages would be a good thing. The Chinese admin you e-mail might actually care about the problem if he could understand the issue a little better. If nothing else, having the info in various languages negates the argument that these admins don't have resources to fall back on.
5. Servers on networks where the admins just don't give a damn. We've discussed this on Slashdot before, especially regarding Korean and Chinese networks that are getting blanket-blacklisted. I hate to see siginifican't chunks of the Internet being walled off, but if that's what it takes, then so be it. These brain-dead admins will either have to eventually clean up their networks or have no one else who'll receive their mail. In either case, the problem will take care of itself.
All it takes is a little special coding and some database maintenance...
By maintaining a table of mail servers for each domain
There is already such a table. It's called DNS. (example: 'dig @localhost slashdot.org MX' returns: slashdot.org. 86400 IN MX 10 mail.egl.net.)
The procedure that you describe is how a mail server works, other than it gets the server IP via DNS rather than a local DB lookup. There is nothing preventing the spammers from running their own servers rather than using relays, other than the expense and overhead. It doesn't take any "special coding" or "database maintenence" all it takes is a few clicks of a mouse (or a 'make setup check' if they're using Qmail).
Enigma
If you forward this PDF explaining open relays to all your friends, Bill Gates will give you a dollar for every closed relay the PDF goes through.
----
All of whose base are belong to the what-now?
Who is going to check every header in every email?
.01% response rat is concidered wildly sucsessfull by SPAMMERS.
obviously nobody is going to even try, but a yahoo, aol, msn, Earthlink, or hotmail are going to have hundreds of smtp machines load balanced off one IP address, set up ten out of a hundred to check headers throughly and it'll stop a lot of spam.
I know that your thinking that this would be like the dutch-boy with his finger in the dike, here why I think it would be effective
1. a spam campain that generate a
2. if you block the one email out of ten thousand that generates revenue, then the spammer has to send an additional 10K Emails to make up the shortfall.
the cost to the ISP rise linearly, the cost to the SPAMMER rise exponetily; and the ISP have deeper pockets to begin with. Add in the blacklists and the big time spammers are done.
Apocalypse Cancelled, Sorry, No Ticket Refunds