Slashdot Mirror
FTC vs. Open SMTP Relays
HighOrbit writes "Cnet reports on news.com.com that The U.S. Federal Trade Commission, several state Attorneys General, and Australia, Canada and Japan are sending this letter (pdf) to operators of open relay mail servers to educate them on the dangers of open relays and how they help spread spam. Although the letter does not threaten direct law enforcement action, it does let open relayers know that they have been noticed and warned. The threat of being blacklisted has not worked yet, so will this finally convince mail server admins to shut down those open relays?"
How am I supposed to find out about herbal viagra, hot co-eds, batteryless flashlights or stainless steel if this succeeds?
I'm going to write my Member of Parliament about this.
Trolling is a art,
I remember (fondly) a few years ago when open SMTP relays were still considered a standard setup and not a major security risk. The FTC is definitely doing the right thing in alerting admins to the risks they are taking and helping them to learn how to better protect their infrastructure, as well as the burden it inevitably places on the rest of the internet community when a spammer eventually finds their open relay and shares it with others. Kudos...
... alot of IBM AIX customers are going to get this letter:
0 03 -05-13/2003-05-19/0
http://www.securityfocus.com/archive/1/321307/2
[Got Hosting?]
just out of curosity, why would any mail admin want to have an open relay? it must cost the isp time and money as well as make them look bad to the community in general. even those who do support spammers for profit, even they must have some sort of authentication?
all this time thinking its just horrible admins who dont know how to do their job, or are to lazy to do it right
I'm thinking most of these letters will be filed in the round bin.
50% of the people recieving the letter will be the wrong person and not have a clue what it is.
10% will read it and panic, but ultimately it won't get to the sysadmin and nothing will change
20% will have some obscure reasons for using open relays
and 20% of all statistics are made up as they are typed.
Gibble: Descriptive of an emotional state in which one's mind is scrabbling for some purchase on reality
Maybe I'm the only one that had this train of thought, but I'll put it here anyways. I, personally, run a home-based server that runs many services (web, ftp, SMTP and POP3 are some of them).
The threat of being blacklisted would make me change my ways, as I have nothing to gain and everything to lose should that happen. I would presume the same is true for most sys admins out there, who run *honest* servers.
Now let's say that the few "Open Relay" servers that are left are threatened, but they don't take action. Pardon my conspiracy theory, but it may very well be that these "innocent" open relays are in fact sponsored by spam clearinghouses, in which case server admins have monetary incentive to NOT close their relays.
I'd imagine the few open relays that are left are supported by spammers in some way, as they are key in spreading spam, and most people don't want spam passing through their systems anyway, so any anti-spam person would probably close their relays as soon as they are first notified.
So to relate this to the article, I'd say that a letter from the FTC that doesn't threaten *legal* action will provide no more incentive to these system administrators to close the relays; thus the letters become little more than a waste of paper...
Just my thoughts on the matter.
I think this letter is a good way to let ISPs know that big-bro is watching. The letter did not threaten, it only offered advice. But the casual use of "law enforcement" does give the letter just enough bite to be worry some.
:)
Good job (i don't say that too often about my gov...
"Those who make peaceful revolution impossible, make violent revolution inevitable" - JFK
Maybe if the threat hasn't worked then they should actually be blacklisted?
My next sig will be ready soon, but subscribers can beat the rush
I'm really glad to see the Texas seal on this document. It's really disturbed me to see Texas just standing by and ignoring the spam problem. I personally think any spammers caught in-state should be roped and dragged to the middle town to let the people decide what to do with them. We're already proud to be #1 in executions, cowboy justice would just up our position.
The preceding post was not a Slashvertisement.
Rumor has it that there's a whole bunch of open relays out there which are owned by the spamhausen. (I'd love to see some evidence to the contrary, but that's asking proof of a negative, so I won't hold my breath.) If we accept that rumor as fact for the sake of argument, all the FTC letter is going to do is tell said spamhausen that their crap is getting to the target audiences, and they'll happily redouble their efforts.
It's been said before, but it's worth repeating. The best way to eliminate spam is not to go after the machines (and coincidentally the people in charge of the care and feeding of them). Go after the people and companies hiring the spamhausen...the ones pushing their "herbal Viagara" (sic), pr0n, better mortgage rates, and so forth down the wire and into our overloaded mail accounts. Take away the revenue stream, and all those open relays will go idle until someone puts them to better use (for example, Quake 3 servers).
Just my two cents' worth...save up the change for a root beer or something.
All the world's an analog stage, and digital circuits play only bit parts.
Signed by (among others) the attorneys general of Texas, Louisiana, Oklahoma, Arkansas, and New Mexico. Where are the states that are sterotypically tech-savvy? Where's Washington? Where's California? Why are southern states taking the lead on this? I'd think it was just a regional US thing if it weren't for the international signatures on there. Is it easier to get international agreement than interstate agreement? Seriously, what gives here?
The threat of being blacklisted has not worked yet, so will this finally convince mail server admins to shut down those open relays?"
I seriously doubt it. The one time that I informed a sysadmin that he had an open relay I got back a long e-mail on how "this is the way the internet works", that may have been true in times past but it certainly was no longer true in 1996, and it even seemed a bit snotty.
Now these guys are going to get a letter from the 'lowley' government? LOL, unless it comes from Bill Gates, in most cases, or Linus in others, they will blow it off or try to have a stupid flamewar.
Eve Fairbanks says I drive a hybrid!LOL
Imagine my utter surprise when I returned from running to the PO and Baja Fresh, during lunch, hit [Get Msgs] and Nothing was there to download!!!
I've been getting from 120-180 Ralsky-grams a day and nothing in the space of 45 minutes is downright unbelievable. I zipped over to the news to see if his house had been raided or he'd been kill by an irate sysadmin. Nothing on the news about it, maybe something is happening? If so, he and his animal food trough wiper friends will probably take a little while to shift over to some other sites and get caught up.
A feeling of having made the same mistake before: Deja Foobar
Right now, 70% of all the mail that arrives at our domains is spam. Perhaps half of that gets filtered, but that still leaves an uncomfortably large amount.
RedHat did a good thing by disabling sendmail receive/sending on default installs of 8.0 and forward. Now if they would only turn off portmapper and a few other things...
Newsfollow.com
The real problem? Wierd foreign programmers who don't understand How Things Work and moreover don't care, and executives that just want a working system and to hell with being a good netizen.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
"so will this finally convince mail server admins to shut down those open relays"
I've been convinced for a while... I just haven't figured out the sendmail config syntax yet
R$* . $| $* $: $1 $| $2
R$*.dialup.$* $| DIALUP $@ DIALUP
Rdialup.$* $| DIALUP $@ DIALUP
R$* $| $* $: $(Spam $1 $:NOMATCH $| $1 $) $| $2
RNOMATCH $| $+ . $* $| $* $: $>lookat_domain $2 $| $3
R$* $| $* $@ $>comp_value $1 $| $2
"R$". What The ????
I value anonymity as much as the next guy, but I spent 6 hours of my work day today trying to sort through nearly 30,000 received by my company. I'm creating a DB for Spam/Ham so with a little script, I can show my bosses how effective a bayesian filter can be and I can get on with my life.
...) for a lot of things. My work email is for just that: work. My home email is for friends and family. My hotmail is for everything else. You can still have anonymity and be regulated. I heard a rumor recently that Hotmail put limits on the number of mails you can send a day (I think it was 100) and the number of TO:, CC:, and BCC:s you can have (again, i think 100). This still allows us Joe Users to send what mail we need to anonymously, but still makes spamming from them difficult (but not impossible).
I prefer to use anonymous mail (hotmail, yahoo, etc
-Ab
Nothing fails quite like prayer.
Shutting down OpenRelays will have a negligable effect on Spam, since any Internet connected computer can send tens of thousands of spams before anyone would even notice.
Also, there may be legitimate reasons to have OpenRelays. Much like there are legitimate reasons to have DVD copying software. Maybe only a few good reasons, but enough that they should not be banned outright.
The only legal action that these legal folks should be taking is against those spammers using deceptive practices, which is about all of them these days. For instance the false sender information and the innability to be removed from the list. Life was okay when you could get removed from a mailing list and you really wouldn't get any more spam from them, but now they just use it as a confirmation that the email is active and to send more email.
Open SMTP relays are not the problem any more than Open Routers are. Find the individuals that are sending these things and you will stop the problem.
What you're seeing is many people here who usually complain about the "evil gubmint" saying they finally got something right. This is a rare moment when the gubmint didn't jump in and write tons of outragious legislation. What us "slashdotters" (I hate that word) are saying is "Yeah, you guys usually screw up, but by sending just an informative letter you've finally done something right. Let's hope you keep up the good work." Intelligent people make up their minds on a case-by-case basis. Yes, many here think the government is often bad, but at least many also recognize when something's done right.
Developers: We can use your help.
Watch, for their next letter, they're going to warn about the dangers of using Microsoft products!
I hate to say it, but the series premiere of the short lived "Lone Gunmen" series stated it best. I will paraphrase here:
The government is not a single, unified entity with thousands of members acting towards the same goals. It is a collection of institutions each with their own goals and agendas, often operating at cross purposes.
To move beyond the point above, the FTC is as splintered as the rest of the government. It's starting to use the existing laws to go after SPAM, which is good. However, the portions of the FTC responsible for the whole High Definition Television mess is doing a less than spectacular job. The odds are good that the people involved in one project are not the same people involved with the other. Hell, each "Project" as I described above most likely consists of dozens of smaller units, no doubt mired in the same political issues as the organization as a whole.
Some people in the government are doing good things, others are doing bad things, most are just doing their functionary but morally neutral jobs.
The US Government is not "Evil" or "Good," and trying to paint it as one or the other is short sighted, childish and smacks of blind zealotry.
Please stop trying to see the world as black and white / good and evil. The real world is far more complex than that, as are the institutions that function within it.
One last example: Sony. Go through the Slashdot archives, and you'll find stories where they're the her, and stories where they're the villain. This is a reflection on the way actions of specific groups within the company were perceived, not on the "Evil" or "Good" nature of the company as a whole. Slashdot is not failing to "Make up its mind" but is reflecting the fact that sometimes a company does good things, and sometimes it does bad things.
And by the way, contrary to popular belief, Slashdot does not have one "Mind" to make up on any issue. It too, is a collection of individuals with their own agendas, views and opinions. If you are expecting any kind of unity of Slashdot users on any one topic, then you are insulting the intelligence of said users. We are individuals. This site has readers who love the Government and never question it's actions, and people who hat it with every fiber of their being. The site also has people at every level between the extremes.
"Love your country unconditionally. Love your government only when it deserves it." -- Mark Twain
"Live Free or Die." Don't like it? Then keep out of the USA
All mail servers accept mail to their own users form anyone. How else are they supposed to work??? Currently there isn't some central repository of "These are safe addresses to receieve mail from" And if there was it would make sending mail much more difficult. The whole point of SMTP is to accept mail for its local users, and to bounce mail from its local users to another SMTP. Anyways the only way around this would be to trust some signing intity to verify each mail server, which is a solution some are poposing, but currently does not exist.
The threat of being blacklisted has not worked yet, so will this finally convince mail server admins to shut down those open relays?
Well for Fred's sake, if the threat of being blacklisted hasn't worked, then how the hell "attempting to educate them" will?
Here are some articles covering proxy abuse and the Sobig virus/Spam connection which detail some of the current techniques of spammers and how to fight them.
I hate to say it, but this isn't nearly as much work as you might think. All it takes is a little special coding and some database maintenance -- something serious spammers would be more than willing to do. By maintaining a table of mail servers for each domain, a program could easily be created that scans through the list of email addresses, selects the correct mail server for its domain and then routes the email directly through that server. The most work would be maintaining the table of mail servers, but they could just target the big ones like Earthlink, AOL, MSN, Yahoo, Hotmail, etc. If this ever happens, you may see a rise in the popularity of Ma & Pa ISPs again.
On a good note, spammers who directly route through the recipient's mail server will be much easier to track down -- unless they break into another computer system to do their dirty work.
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
Who is this collective "you" that you're talking about? Do you realize that you're in a big room, eavesdropping on a thousand conversations, and you really don't know exactly who is expressing each individual opinion that you hear?
If I say that I like to eat a good steak, and someone else says that "meat is murder", neither of us is guilty of hypocrisy just because we were both in the same room when we uttered our opinions.
That's the way it works in the real world, and it's the way it works in "virtual rooms" like slashdot. I'm sorry, but you are going to have to stop thinking of online forums as one large group of clones with identical programming.
Unless you can specifically find a fixed individual who has uttered incongruous statements, you have no grounds for your complaint. And even when you do, your complaint is only valid with respect to that individual...not everybody else who happens to be there at the time.
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
"Come on, you don't mean that. If somebody sneaks into your house while you're not looking, "borrows" your gun, goes out an kills somebody, you're responsible? You could be accused of negligence but you're not really responsible for the killing"
Here in Calif. unless you lock it up, with an approved security device or trigger guard YES you are and can be held responsible for gross negligence and possible homicide...no one has taken the homicide charge yet buty there have been cases of negligence enforced I believe...
I agree with you on the Key issue regarding email though...
errr....umm...*whooosh* *whoosh* Is this thing on ?
I think that the open relay problem requires a multi-facited approach. IMHO, the open relays break down into several categories that require different solutions.
1. Legitimate mail servers that are open because of old software installs that haven't been updated, perhaps because that's a low priority. Here, education is a good first step, but threatening to blacklist them and actually following through if necessary will do the trick.
2. Legitimate mail servers that are open because they're running very old software that's difficult to patch because of its age. Here, the admin may know that there's a problem, but he or she doesn't have the time to dig around for hard-to-find fixes, and retiring the old machine might not be an immediate option. MAPS has a good idea with its list of patches for various MTAs. I tended to get more successful communications with admins when I told them that MAPS had these resources for them to use. FYI, here's the link.
http://www.mail-abuse.org/tsi/ar-fix.html
3. Machines that are running MTAs but aren't an organization's real mail servers. These would be around because someone did an OS install that didn't really need a mail server, but they put it in anyway, then promptly forgot about it. They may not even know what they did. In this case, blacklisting that server doesn't mean much. Whoever administers the official mail servers could care less because that isn't a machine that is their official server, so why should they care? This could be a problem in a large organization, where you may have a bunch of uninformed bozos setting these things up faster than you can blacklist them. In this case, the only way to get results is to just blacklist the organization's entire IP space. Yes, I know that this would impact the real mail servers, which may be secure, but it'd also get the admins to take note and apply a clue-stick to the ones throwing insecure machines onto the network.
4. Servers with admins who don't speak English. Having informative material available in different languages would be a good thing. The Chinese admin you e-mail might actually care about the problem if he could understand the issue a little better. If nothing else, having the info in various languages negates the argument that these admins don't have resources to fall back on.
5. Servers on networks where the admins just don't give a damn. We've discussed this on Slashdot before, especially regarding Korean and Chinese networks that are getting blanket-blacklisted. I hate to see siginifican't chunks of the Internet being walled off, but if that's what it takes, then so be it. These brain-dead admins will either have to eventually clean up their networks or have no one else who'll receive their mail. In either case, the problem will take care of itself.