Slashdot Mirror
FTC vs. Open SMTP Relays
HighOrbit writes "Cnet reports on news.com.com that The U.S. Federal Trade Commission, several state Attorneys General, and Australia, Canada and Japan are sending this letter (pdf) to operators of open relay mail servers to educate them on the dangers of open relays and how they help spread spam. Although the letter does not threaten direct law enforcement action, it does let open relayers know that they have been noticed and warned. The threat of being blacklisted has not worked yet, so will this finally convince mail server admins to shut down those open relays?"
I remember (fondly) a few years ago when open SMTP relays were still considered a standard setup and not a major security risk. The FTC is definitely doing the right thing in alerting admins to the risks they are taking and helping them to learn how to better protect their infrastructure, as well as the burden it inevitably places on the rest of the internet community when a spammer eventually finds their open relay and shares it with others. Kudos...
... alot of IBM AIX customers are going to get this letter:
0 03 -05-13/2003-05-19/0
http://www.securityfocus.com/archive/1/321307/2
[Got Hosting?]
just out of curosity, why would any mail admin want to have an open relay? it must cost the isp time and money as well as make them look bad to the community in general. even those who do support spammers for profit, even they must have some sort of authentication?
all this time thinking its just horrible admins who dont know how to do their job, or are to lazy to do it right
Maybe I'm the only one that had this train of thought, but I'll put it here anyways. I, personally, run a home-based server that runs many services (web, ftp, SMTP and POP3 are some of them).
The threat of being blacklisted would make me change my ways, as I have nothing to gain and everything to lose should that happen. I would presume the same is true for most sys admins out there, who run *honest* servers.
Now let's say that the few "Open Relay" servers that are left are threatened, but they don't take action. Pardon my conspiracy theory, but it may very well be that these "innocent" open relays are in fact sponsored by spam clearinghouses, in which case server admins have monetary incentive to NOT close their relays.
I'd imagine the few open relays that are left are supported by spammers in some way, as they are key in spreading spam, and most people don't want spam passing through their systems anyway, so any anti-spam person would probably close their relays as soon as they are first notified.
So to relate this to the article, I'd say that a letter from the FTC that doesn't threaten *legal* action will provide no more incentive to these system administrators to close the relays; thus the letters become little more than a waste of paper...
Just my thoughts on the matter.
I value anonymity as much as the next guy, but I spent 6 hours of my work day today trying to sort through nearly 30,000 received by my company. I'm creating a DB for Spam/Ham so with a little script, I can show my bosses how effective a bayesian filter can be and I can get on with my life.
...) for a lot of things. My work email is for just that: work. My home email is for friends and family. My hotmail is for everything else. You can still have anonymity and be regulated. I heard a rumor recently that Hotmail put limits on the number of mails you can send a day (I think it was 100) and the number of TO:, CC:, and BCC:s you can have (again, i think 100). This still allows us Joe Users to send what mail we need to anonymously, but still makes spamming from them difficult (but not impossible).
I prefer to use anonymous mail (hotmail, yahoo, etc
-Ab
Nothing fails quite like prayer.
Here are some articles covering proxy abuse and the Sobig virus/Spam connection which detail some of the current techniques of spammers and how to fight them.