Slashdot Mirror
AT&T Moves Toward Mail-Server Whitelist
Gunfighter writes "In an apparent attempt to quelch the amount of incoming spam, AT&T has asked their customers, partners, and business clients to provide them with IP addresses of their mail servers. All other mail will be discarded. To quote the message: "... In order to continue to allow email to AT&T you need to provide the IP addresses of all your outbound email gateways. If you do not respond immediately, your access may not continue.""
And it's been blocking email I send to my work account! Now I understand what's going on.
SMTP email was nice while it lasted.
Semaphore, anyone? Smoke signals?
News for Nerds. Stuff that Matters? Like hell.
..the spammers to get AT&T to whitelist their IPs?
is a few span servers to get on the list, and a few legit servers to get hacked and taken off the list (and tries to get on again) before there will be hell and ATT would have to abandon the plan, wasting all these time and resources used to instate this plan in the first place.
Great shame, really...
My life in the land of the rising sun.
Why don't the operators of the internet just sue these clowns and their product manufacturers and put a stop to this stupidity.
It would be nice if some VOICE speaking for the INTERNET would just say "Were not taking this shit anymore and were gonna nail you little bitches! ".
I don't think there is anything difficult in stopping it. Just clueless management.
And please don't tell me that the internet is not managed by a few companies because it is.
I had an "unpublished" landline phone number, and chose a third-party carrier for my long distance service. AT&T called me every week as long as I had that phone line, trying to sell me long distance service, no matter that every time I called, I said "no" and told them to never call again.
It seems that AT&T thinks that if you don't want to do business with them, then they automatically deserve to be on your whitelist.
Voice spam is just as bad as email spam. Even worse, since you can't deal with it on YOUR time.
Give me my freedom, and I'll take care of my own security, thank you.
So I, random customer or investor X, wish to contact AT&T by email, and I can't becasue my ISP's mailserver is not on AT&T's allow list ?
Sounds like the cure is worse than the problem. Why have a mailserver at all then ?
Personally, I can't see this working very well.
On the other hand, there are other approaches just as destructive.
I run an outbound SMTP server for my own personal use, in part because my ISP's SMTP server sucks.
At times, it could take 30 or more minutes to relay an email to myself.
One of the problems with this is that apparently I got listed on some kind of dial-up user block list, and my mother's ISP blocks those users from sending to its users.
The downside is that my mother's ISP also blocks my ISP's SMTP server.
Isn't that useful.
Remove the caps and hold to a mirror.
This can't be right... Most businesses have no idea what an IP address is, let alone the IP addresses of people who send them email... It sounds like an utterly stupid plan. What's to stop spammers sending them IP addresses of their mail sending boxes or open relays?
Hopefully RMX will get off the ground soon, so we can all do this automaticaly.
autopr0n is like, down and stuff.
spam is bad and wrong.
but asking everyone to white-list their mail servers is even more wrong.
Can't I send an email to my friends working at AT&T using my yahoo mail account because it is widely used by spammers ? Or god forbid hotmail ?
Looks like s**t-for-brains was on duty at the giant telco again.
Wondering how long this grand-idea is going to last.
__________
The more I know people, the more I love animals
They should've gone one step further - accept only authenticated (TLS'ed) SMTP
connections and manage whitelisted certificates instead of IP addresses. This would require
gradual implementation and will take time longer to setup, but once deployed the management
would involve significantly less headache than with IP whitelists.
3.243F6A8885A308D313
I wonder how the people on AT&T's ISP networks are going to feel about not being able to communicate with mom and dad in Singapore? And all those folks (or those few folks, I suppose, depending on who you hang with) running personal SMTP services from their homes for the added privacy it buys them.
Yes, there's a lot of trash spam out there. It's NOT impossible to stop, but solutions like this one are not going to substantially help. If AT&T closes off its mail network to the world outside, those broadband customers running open proxies just become that much more valuable - then ATs own customers become the conduit of the spam they are trying to squash. There are thousands of "questionable" usenet posts that originate from roadrunner and AT&T and pacbell and earthlink usenet servers that are proxied there through their own broadband customers. Even locking those customers down to port 80 access won't stop trojans and backdoors, so logically I guess this is just the first step to AT&T closing off its network from the internet entirely?
Maybe they'll just firewall all their customers in and dish out the DMCA approved web pages through proxy farms... that'll teach those evil spammers!
I'm oversee an it department. While we're lucky enough to have a highly technical user base there are still users that need a little help. And some of them will have to write at&t.
"Solutions" like this do little to stem the tide of spam, they only shift the burden to others. Now, in order to ensure that my users can send email to the customers and contacts they need at att&t, I have to keep them up to date with our whereabouts on the net?
Earlier this year we had to deal with a spat of denied messages cause when a number of large organizations blocked our entire address block because they believed it was a DSL block. This was the only reason. Not that spam originated from any of these addresses,
The only way to stop spam is to stop the spammers. The only way to stop the spammers is to stop those that pay them or otherwise make money trough the spam.
\Drew National Data Director, John Edwards for President
I don't think spammers care that much about getting AT&T employees while they are at work to try to hack this en masse.
autopr0n is like, down and stuff.
This is really a lose-lose situation and it's disappointing to see this. If there's going to be a concept of trusted mail servers, we need to use a technological solution that allows easy, open, and transferable trusted participation in the network - maybe for once an application where a web-of-trust would actually function. Even the current system with centralized, subscription-based blackhole lists is far better - at least you only have 5-10 different places to go if you end up on somebody's shit list.
In the dark world of the future you'll have to fight your way through bureaucracy and stupid sysadmins (and yes, the vast majority of sysadmins are fucking idiots, though I know that's not a popular opinion around here) for each and every company, organization or domain you want to send email to. That sounds like an infeasible, unmaintainable system to me.
Personally, I find the spam filtering on my fastmail (www.fastmail.fm) account to be incredibly reliable and effective, and I've found that if I bounce back every piece of true spam I get, over a few weeks or months, my rate of incoming spam seems to decrease substantially. We can do better, and we will beat the spammers, but we don't need to throw out the baby with the bathwater.
You send email to your ISP. Your ISP's mailhost is on the list. Your email gets through...
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
But, if you wish to become an ATT customer, how do you contact them?
I have no wish to phone them so they can get my phone number, which they will use to call me every 5 days trying to get me to switch my ld to att.
A week ago I decided that it would be interesting to setup my own mail server, hell, fun even. Interesting yes, fun no. I started with sendmail and ended up with qmail.
m l?tid=120).
I was so proud of my new server, it was so, well, new. I go to send out a test mail and alas earthlink would not accept it, hmm. Then I sent one to my yahoo account, nope. Hotmail? You guessed it. What's the deal I asked. Googled a bit, found that slashdot discussion (http://yro.slashdot.org/yro/03/04/13/2215207.sht
I started to realize that email is no longer a tool of the little guy. I send my mail through my earthlink server which works but now I must watch my volume (no mailing lists hosted here I'm afraid) because of my 'terms-of-service'. Something about being a little guy or something like that.
Now the last barrier is up. I wonder if ATT would put me on their list?
I have my own domain and run a MTA on my Linux box that is on DSL and gets its IP via DHCP. The IP almost never changes since the server is always on. I bet this is the same configuration as other
Anyway, I am starting to get bounces from certain organizations (AOL, Primus) that seem to think my messages are spam. Seems to have something to do with coming from an IP that is known DHCP. This kind of sucks; whitelists and spam filters may seem good at first, but they are screening out some legitimate traffic.
would be for AT&T to send an email telling everyone to fix their screwed up mail servers. That would help all of us, instead of screwing with us.
Does this mean that Joe Public surfing the AT&T web site can't shoot them a question via e-mail? If so, I can't imagine that's going to be good for their business.
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
FYI, this seems to be from AT&T Business Services, IE backbone and ip operations. So their customers (the people they are asking) in this case are other ISPs, datacenters, etc, and the whitelist is for sending email to AT&T itself. This has nothing to do with other AT&T services (remember, "AT&T" is essentially about a hundred different companies that happen to share the same name), so this should not affect some grandma trying to send to an attbi account. That being said, whether what they're doing is good remains to be seen.
(Interestingly enough, I *DO* work for a datacenter that has IP and transit services through AT&T, and have not received one of these emails yet...)
I've said it before, and I'll say it again. We need to dump SMTP and switch to something like Internet Mail 2000. The sooner we do it, the better. Some people here have voiced concerns, but I'm convinced that this proposal is well thought out and will work. Any inconvenience (which would be minor, and only for a small fraction of users) would be trumped by its benefits, by a wide margin.
Anyone know if anyone is actually coding up a sample server and client for IM2000? A google search for "internet mail 2000" comes up with some proposals that go beyond Bernstein's site, but I haven't seen any evidence of code yet. It really shouldn't be that complicated and, yeah, I'd be willing to help!
Why do people that have legitimate topics get censored as 'Flamebait' when talking about microsoft or comment on KDE and GNOME being more bloated than Rosey O'donell as a 'Troll'.
Why do people that CUT AND PASTE news article get rewarded by the IDIOT moderators of this website
with a +5 informative moderation ??
Does anyone else wonder about these mysterious subjects ?
Who in their right mind would pay money to Slashdot ? Very bizarre.....If you got cash to burn , how about giving it to the needy instead lazy millionaire Commander Taco.
I read between the lines as:
Greetings Customers and Partners,
There is too spam, so we fired everyone in IT. We've got some temps, led by secretaries, who will now rebuild and maintain all AT+T messaging platforms. Please send your IP addresses as we will need to ping you next week to see if you're still a Parntner/Customer.
Best regards,
"
We could all just use sendmail and live with it...oh nt wait a minute, then I would have to built a brick wall around my house and bolt everything to the floor again. I am not sure that a pay-per-email system would work though as then the question of WAN/LAN e-mails comes up as some networks could be in the middle. Then comes the matter of payment, and what if one just wants to send a quick email and it is not their computer and they have not an account online. Also, different mailing lists would suffer or at least be royally screwed as most are free and that is their advantage, and as such, they would lose that advantage. Overall, PPEMAIL, not a very sensible plan, however something needs to be done...
--Shut up and get a mac--
Complete shock and disbelief at the first e-mail (the dreadfully short message at the bottom).
Has anyone actually called and confirmed with the 1-800 number that this truely is AT&T, and it really is what they are saying? I'm not sure I'll believe it until I see the e-mail actually start bouncing. That's clinically insane. Do they seriously believe they'll be able to pull this off? You mean ever time a small company creates a new mail server they'll have to contact AT&T with the outgoing SMTP servers? If this starts a major trend, you mean I'll have to contact lots of major ISP's to send mail to them?
Assuming this it to stop SPAM (what else could it be?), what's to stop a spammer from just calling up and saying I'm a legit mailer set me up? What do I do when I get assigned the IP from the old spammer? What will there policy be on setting you back up? Will there be an official form? How can they tell the Spammer just isn't dupping them a second time with a fake business?
This sounds like a terrible idea, and like their security people haven't really thought this through. About the only thing I like about it, is that it is a sign that major ISP's are starting to play hardball. I'm curious if one of their net admins was behind some of the major black lists that just got DDoS'ed off the net. I hope they accept e-mail from anybody with a legitimate MX record at least. At least for a little while. I can't believe they aren't going to do a black list instead of a white list.
What's the over-under on how long this takes to get pulled the plug on? There's no way this will last. It'll be a world class disaster. My guess is it won't last 15 business days.
Kirby
Why not set up some control station just for SPAM ?
It can be done but they wont do it.
After a few months of operation, it will become obvious that this plan is a disaster. Spam-friendly ISPs (and there are many with legit customers too) will still get on the whitelist, so incoming spam will not cease. But in the meantime, smaller ISPs around the world will get mighty pissed because their mail is rejected.
However, if you run your own mail server you will get quite annoyed, but all hope is not lost. Here is a brilliant solution for postfix that will let you deliver mail specifically bound for, say, attglobal.net through your ISP's hopefully whitelisted customer-use mail server instead of direct delivery. So AT&T will see your ISP's mail server connecting for this mail, while all your other mail can be delivered direct.
I'm mighty disappointed in AT&T. This move further commercializes Internet connectivity by giving big business the green light to send any mail while blocking all the small guys. Seriously.
Most big corps have an army of salesmen, tech guys, whatever, roaming around the world handing out business cards with an email address printed on them. The idea is that potential customers or potential partners with actually email us and we'll do things with them that make money for the corporation. Cutting off that communication sounds like a very bad idea.
This seems pretty odd. Is this just a small division somewhere that is trying this or THE AT&T.
Even if they did come up with a complete and accurate list of non-spammer mailservers, they still need a way to continiously update it. What would they want? Everyone in the world sending them email whenever a mailserver comes or goes? (oops, no... because the new server wouldn't be on the list either.)
AT&T cannot be this stupid. I have to think that this is a hoax. The long message vouching for the credibility of the earlier, terse message supports this idea.
AT&T has asked their customers, partners, and business clients to provide them with IP addresses of their mail servers.
Call me dense, but why not simply accept mail only from registered mail handlers? I would also do the filtering based on the connecting server's domain MX and the From header's domain MX; neither is registered, you give a 550 error. That would stop 99% of the spam (that I get, at least) right there. Especially the virus spam that tries to turn any random Windows box into an SMTP server.
"Please add this number to your do-not-call list."
Document all the info you can (date, time, name of person you spoke to if possible, etc.), and the next time you get a call from them, complain.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Slashdot is starting to suck.
go to some other sites like techdirt.com
Wouldn't it be easier for them to just handle their email through webforms? Now, I may be completely wrong here, but I rarely get Spam at addresses that aren't posted somewhere on the Web/Usenet. Using a webform to email alleviates this problem.
I find this very hypocritical. ATT is a major service provider for spammers, mostly through their broadband service. I know because I have my own blacklist and there are hundreds of Class C blocks with ATT. ATT is very lax with enforcing any AUP they may have.
When I read that, I laughed so hard I nearly spotted. In case you did hear, AT&T was the first Tier 1 ISP to have been confirmed to write a pink contract. To be balanced about it, AT&T corporate stated that the contract had been modified without permission of their legal department.
"If any of your IM team is captured or killed, the state department will disavow any knowlege of your actions. This tape will self destruct in 10 seconds. Good Luck Jim."
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
The best dual boot problem solver is; dd if=/dev/urandom of=/dev/hda1 ..then cfdisk /dev/hda1 etc..
:-( too bad I have my wife won't switch yet. I have always wanted to use that command!
OH THE SHAME I fell off the wagon and use sigs again!
There are several initiatives underway to use DNS to authenticate SMTP transactions: this seems like a good way to avoid the nastiness described by the parent poster...
- http://spf.pobox.com/draft-mengwong-spf-01.txt
- http://www.pan-am.ca/draft-ietf-asrg-dsprotocol-0
0 .txt
- http://www.ietf.org/internet-drafts/draft-danisch
- dns-rr-smtp-03.txt
The article really does sound like this request is an emergency response to a specific threat - The intent seems to me to be more of a temporary bandaid solution than an attempt to alter the very fabric of email as we know it (-:Pixie
don't mess with those geekgrrls
Just so that this is absolutely clear. It is my understanding that they are asking customers on their IP networks for this information. That is: they want to know the IP addresses on their IP nets of SMTP servers to whitelist incoming and outgoing mail for. I believe this mail went out to their large (enterprise?) customers which includes many downstream ISPs.
Could anyone tell me if this letter also went out
to customers that manage their own IP nets but buy upstream connections from AT&T. For example, ISPs that are LIRs for their own nets.
Heck, the next logical step beyond claiming that they can white list every legitimate e-mail server on the planet that might ever send a valid e-mail to an AT&T customer would be to simply demand that everyone register all the actual e-mail that they will ever send to an AT&T customer. Then they could check incoming e-mail against everything they had on hand (or even just the md5 checksums of same) and reject any e-mail that wasn't already on file, since it must be spam. Might even be more useful; I could register a half dozen simple mesages now for an AT&T user I know; but I have no way of being sure what IP addresses my service providers might be on six months from now and be sure they were white listed with AT&T.
I hate spam, but I expect the AT&T move will do a lot more harm than good.
I'm an American. I love this country and the freedoms that we used to have.
I was hunting around for some info on how to set procmail up to only allow the 4 domains that I get legitimate mail from when I ran across tmda. I decided to give it a shot instead and I haven't seen a spam since. I know that technically they're still coming in, but I went from 30-40 spams a day in my inbox to 0. Now I can ignore the problem until they start slipping through or they start consuming a significant portion of my bandwidth.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
127.0.0.1
I have over 70 freaks, do you?
Are you the same guy who posted two earlier posts with the same text? Last time it was 4AM and the
time before 3AM..
Some creativity would be required when posting these again and again, next time change a few wordings and add more superlatives?-)
http://codeandlife.com
There *was* a IETF draft for "RMX" (Reverse MX) published by the IETF's Anti-Spam Research Group (ASRG), but it's not really ready for prime time.
I do not deploy Linux. Ever.
The biggest problem is ATT will have to administrate this. If a (legitimate) domain switches IP addresses on their outgoing SMTP server (it happens), ATT will have to deal with it by setting up some kind of structure to accomodate such changes.
Forcing domains to declare from what SMTP host legitimate mail will come from is actualy a good idea. It has been proposed before, in the form of SPF:Sender and RMX. Either would do the job (technical quibbles aside), and would accomodate the end goal ATT is trying to achieve.
This scheme will last as long as it takes for one of the Brand New Spam Viruses to infect a billion computers across the internet that use these whitelisted servers.
As long as our governments are only willing to enforce the laws that make them money, the problems that plague our society will continue.
Seriously. Call up your local police office and report the 50 spams you got. Call the FBI. The FCC. The FTC. Call as many government offices as you care to until you're blue in the face. They all have some law that they should be enforcing that Spam breaks, but they're not interested.
Fix the problem, people, not the symptom. If you elect some leaders that will actually enforce laws that make the average citizen's life better, Spam will go away, along with a litany of other problems just like it.
That, or just keep voting for the same politicians that are in the pockets of the corporations, and these problems will persist.
fifth sigma, inc.
If you do not respond immediately, your access may not continue...
Please foreward this e-mail to 10 of your closest e-mail servers and you will get a free Cracker Barrel gift certificate and little Mary-Lou will get her wish of getting e-mail from every American before she dies of Lukemia. If you do not, you will have bad luck for the next 20 years!
Only real difference is that most companies don't have the balls to send this kind of broadcast mail message...
I've received both the original short message and the longer followup message. The long message includes contact information at the end, names and a 800 number. The names given are actual AT&T employees.It looks legitimate to me, the reply email address is given as rm-antiattspam at ems dot att dot com (bot-proofing added by me). I haven't actually responded yet, but other role accounts at AT&T also take the form of rm-something@ems.att.com.
I do not deploy Linux. Ever.
That's what I was thinking, but it looks like RMX is dead in the water, the link to the memo from the IETF ASRG website goes 404.
Looks like TLS (SMTP over SSL with client and server certificates) is our only hope. I was at a recent Open Group messaging conference (formerly X.org) where the main topic was spam, and there is definitely interest in this approach.
I do not deploy Linux. Ever.
I gotta say, there seems to be a growing number of uninformed idiots commenting on stuff they have no idea about.
/. is becomimg a forum for idiots, not nerds.
This topic is one perfect example, no one reads the article and no one seems to understand SMTP mail.
Gee, our Slashdot readers literally pine for a similar setup within the community to combat spam, using items such as "trusted" lists, etc...
The whims and ideas of a these slashdotters still doesn't account for the fact that most of the load from SPAM still has to be handled by the carrier. First to store it in the mail server, then to delete it. AT&T is simply negating the need for those two steps.
Of course, some mail might not make it through. And of course some SPAM might make it through.
But, given that spammers routinely forge headers, a simple query can block them.
For instance, Joe Spammer, who has an account at www.taiwanopenspam.com (or a cracked server) starts kicking out mass emails. He can't keep it up for long without forging his headers. When he does, a simple DNS lookup for www.forgedheader.net will either return a negative value (in which case the mail is blocked) or an IP address that does not show up on the whitelist, and is therefore, blocked.
krystal_blade
It will be easy to motivate our fellow man; there is hardly anything people treasure more than not being annihilated.
Sender Permitted From, a handy little concept whereby DNS servers for domains publish lists of what servers are vouched for, so to speak. By only accepting email from servers which implement SPF, you reduce spam a lot. With SPF, if anyone is doing spam, it's very traceable and prosecuteable. You also cut down on people trying to fake identities.
If everyone implements SPF, it'd solve this problem in a fairer way.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
10.0.3.47
Another thought is that perhaps AT&T EMS is planning to subscribe to Vixie's RBL+, and want to first whitelist all of their customers, to prevent legitimate customer email from getting blocked by an overly broad stroke of the dynamic blacklist...
I do not deploy Linux. Ever.
Right on, that is the best description I have read about the whole premise of OSS security, through source transparency!
OH THE SHAME I fell off the wagon and use sigs again!
All you need is...
One Mail Server to rule them all.
One rules list to filter them by.
One DNS server to bind them in MX records.
I say to hell with all these independent mail servers... all the Internet email should flow internally in one server to all users. Yes this is truly ridiculous on a technical/political level but it would stop spam quickly.
From: MAILER-DAEMON@dontspam.com
, fbloggs@dontspam.com,
To: complainer@dontspam.com
Subject: failure notice
I'm afraid I wasn't able to deliver your message to the following addresses.
abuse@att.com:
12.20.58.70 does not like recipient.
Remote host said: 550 Your IP is banned and we do accept spam
from you, please contact AT&T by phone for assistance.
--- Below this line is a copy of your message.
Return-Path: complainer@dontspam.com
From: complainer@dontspam.com
To: abuse@att.com
Subject: SPAM COMPLAINT
Date: Wed, 22 Oct 2003 06:14:35 +0000
Dear Sir/Madam,
Attached is a spam message which appears to be sent from
IP addresses allocated to your company. We have received
over 1,000 of these messages in the past week.
Please take action and stop spamming our site immediately!
The Postmaster.
----- Original Message -----
Received: from mail.bogus.com ([211.110.179.73])
From: "haggett" 02yrpelaf@thredrkinet.net
To:psmith@dontspam.com
tjones@dontspam.com, abuse@dontspam.com,
postmaster@dontspam.com, everyone@dontspam.com
Subject: ~do not overpay for calls LWEK
Date: Wed, 22 Oct 2003 01:13:20 -0400
X-Mailer: Bulk Super Mailer v2.1a
PaYiNg ToO MuCh 4 LONG DISTANCE PHONE CALLS? AT&T
CAN SAVE YOU **BIG** MONEY. CALL NOW, DON'T DELAY.
This is a one time mailer and you do not need to unsubscribe.
DISCLAIMER: This E-mail is not SPAM under the Federal Regulatory
laws of the United States. This message is being sent to you in
compliance with the proposed Federal Legislation for commercial
e-mail (H.R.4176-SECTION 101 PARAGRAPH (e) (1) (A)) and Bill
s.1618 TITLE III passed by the 105th US Congress.
If you have received this email by error, we sincerely apologize
for any inconvenience.
I believe that AT&T customers who only use AT&T for transit (have their own AS and portable IP blocks) also received the letter. Only other way I could have gotten it is based on some old DNS registrations delegated to AT&T...
Took me a bit to figure out what "LIR" (Local Internet Registry.) refers to, since I've been out of the retail ISP game for many years. Turns out, "LIR" is not very clearly defined, it just means an ISP to which IP space has been allocated?
I do not deploy Linux. Ever.
HP is blocking email from all kinds of servers, including some quite large ISPs. The result? HP staff are relying more on private email accounts. Banning them from using private accounts at work will not succeed because of hot desking. So the risk of crap getting in via a remote notebook attached to a VPN goes up.
And these are the companies that are supposed to have a clue. What about the rest?
[1] Configure your reverse mappings for your Internet-facing machines properly. That way we can start checking on reverse lookups which would stop Joe Lusers Windows box on DSL being turned into an SMTP engine.
I know that people can trivially configure their own DNS servers and spoof the forward and reverse mappings, but at least there needs to be an administrative contact on the SOA record and on the WHOIS information; which is something
[2] Get rid of the un-needed use of HTML emails. There is no need for half of the formatting and dross in emails. ASCII does just fine, and provide a link to a website if you need to woo people with eye candy.
[3] Undo some of the supposed "intelligent" behviour of email clients. They should display text first, and do everything else (play sounds, render HTML) as a user-invoked extra
[4] Make it a "must manually do" option to allow SMTP servers to allow relaying from anything other than their internal interface and IP range. Too many products come too open out of the box
[5] Use the TXT record or something similar for SMTP servers to list which domains they serve. That way receiving servers performing a forward/reverse lookup for verification will also be able to see if the domain in the email has been spoofed.
___FutureShoks___
Hang on.. that sound familiar. Jay of 'Jay and Silent Bob' is in charge of the internet? That explains a lot.
Disclaimer: I'm an Anonymous Coward impersonating an AT&T employee, and this is the first *I've* heard of it.
Here.
It's beginning.
We're already there. I've been running my own mail server on my ISP connection for a few years. A few months ago this became completly untennable, and I had to go back to my ISPs slow, unreliable server.
Why? The sheer number of servers that were refusing mail from me because my IP was from an ADSL pool.
The Internet has already been de-democratized, long ago.
mypharmacydirect.net, who use nameservers with names such as ns1.spamhaussucks.com and ns2.spamhaussucks.com, and the registrar, JORE-1 (?) allows this...
How much did Chinanet and the Hunan Data Communication Bureau No.9 get paid to house a spammer?
Is it any wonder that it is a good idea to block all ips coming from China? And any other countries in Asia/former USSR/similar that you don't normally do business with or correspond with?
And should Germany be thrown into the blacklist for joker.com, possibly part of the spamhousesucks.com ring?
Forget the blacklists. We need a bounty-list.
People/organizations having trouble with spam can send money to increase the bounty on spammers. All we have to do then is wait for someone to "fix" the problem and cash the bounty.
When in doubt, act determined. Business 101
Wouldn't that be the better/cleaner solution? I suspect ip addresses can be faked, so it's easy for spammers to make the whitelists useless.
Also, what's next, are we supposed to put our mail servers ip address on our business cards?
What if, instead of making an obligitory whitelist, one made a voluntary centralized blacklist. I work at a university, and we are having more and more problems with students sending spam from their no-longer-secure computer. We're working on several different solutions. (Education is the obvious one, but is futile for a certain percentage...) The bottom line is that the IP addresses on our student network should not be sending email. What if there was voluntary system where one could just enter in a range of IP addresses, convirm via email queried from whois records, and blacklist them? (We have more liberal policies, so we would allow students to opt-out.) Seems like that's already happening on a much cruder scale when mailservers blocklist DSL ranges.
A lot of sort of unrelated things have been happening lately that indicate an instability in the philosophical underpinnings of the Internet. It used to be that the idea of sealing off access to areas of it would be completely anathema, as much as the idea of someone doing something like Verisign's recent Sitefinder profit-play.
We're reaching the point where it's no longer considered completely out of the question to discuss blocking access to non-offenders. It's gone from being okay to block SMTP traffic from "non-static IPs" to being okay to block traffic from "anyone who's not on our exclusive list" within a period of months.
Verisign has done the previously unthinkable by modifying major functions of the DNS system without so much as a "by your leave". And having gotten their hand smacked, rather than admit any wrong doing, they are politicking in the media to lay the ground work for efforts to wrest complete control of the process. What will they decide they have a right to do next? And if they get away with it, what are other (backbone providers/ISPs/you name it) going to try to see how much they in turn can get away with?
And it doesn't look like too many people are thinking ahead to where these trends will go if not arrested. The Internet has functioned as well as it has for as long as it has because by and large the big players have all followed the rules, customs, and generally accepted way of doing things. If they all start to do whatever they please at the moment, will there still be an Internet?
Quoth he
"It's all academic anyway..."
AT&T three years ago were caught out when a "pink contract" they held with Ronnie Scelson's Cajun Hosting was brought to light by anti-spammers on news.admin.net-abuse.email. Now they're going to do something about the spam hitting their user's inboxes.
Less spam would hit their user's inboxes if they were to sever all ties with their pet spammers. It's my own hog-fucking opinion that AT&T still has plenty of pink paper over there and are still helping spammers to stay in business. However, money still talks the loudest. Those spam contracts usually bring double or triple the going rate to ignore complaints.
I read the linked email but it didn't seem to clarify that point... Seems important.
Quoth he
"It's all academic anyway..."
Given the response by telemarketers against the FTCs Do Not Call List, how long before the first lawsuits are filed against AT&T?
A message from our sponsor
I believe this is for the corporate network. Cant believe they're having such a bad time with spam they're resorting to this. I work for a large 50,000+ company and hardly any spam gets through.
Though we still have idiot employees who send chainletters through the system. Usually showing them the length of a unemployment line and the fact if they do it again they will make that line longer keeps them in line. *kidding* good threat though.
The spammers is about to win. The internet will become isolated islands that you need to have some sort of clearance to contact. I remember when the Net was still open. Bloody bastards are everywhere, with the clear intent on ruining the fun for everyone. One of these days we will find the first cases of beaten up or even killed spammers.
OUTBOUND emails should _automatically_ have their recipient mail server added to the OK list.
And if your still skeptical record the email of the person that added it.
This should reduce spam as it will be easier to track the spammers and hassle them with legal threats or at least get their ISP to shut them down. (Or black list the ISP) See the link above for the full details
dave
--> stuff
recently the company i work for has been working on a large project with AT&T. Suddenly out of the blue we were no longer able to send them email, but we were able to recieve from them. We were able to send to all our other clients without a hitch. We called AT&T and they told us everything was fine on their side, so we went and brought in a cisco consultant since we were unable to resolve the issue. a couple thousand dollars later we still didn't have an answer... Looks like this could be the cause, but then why did AT&T not tell us about this when we called?
They are not creating a whitelist of everyone who sends email to AT&T Customers - You are right that would be a mess
They are whitelisting their customers SMTP servers so no one can send spam FROM AT&T's network.
They are implementing a Sender Permitted From type of system
dave
--> stuff
I like AT&T's idea, but suggest that all ISPs go one further: when a customer registers an SMTP server with them, the ISP should be required to check it to see whether it is an open relay at least once a day. If it finds that it is, it should automatically shut it down.
By requiring organizations to apply for opening SMTP from their ISP, and requiring ISPs to test these hosts to see if they're open relays, I think a lot of the spam problem could be eliminated.
And this could be enforced across international borders by ARIN, ICANN or IANA. Whichever body gives out IP addresses to ISPs could require them to implement this practice and pull their IP ranges if they fail to comply.
If you are a business you cant know all the incoming servers of your future customers..
This would kill the concept of customer service for said company.. " they wont respond to my email screw them "
Something has to be done I agree, but not this.
---- Booth was a patriot ----
Couldn't ATT scan their current email base for this same info? Sure it's going to take 1+ sets of human eyes to make sure an IP is legit but that's going to be needed anyhow to review the incoming requests to be added to the whitelist.
3 21 78-2003Oct15.html
Lets take this one step further. Six months down the road I, a future customer, business partner or supplier to ATT whom has never heard of this policy, send them some email wanting LD service for Humongous Corp, to supply widgets at half their current cost or whatever and has its mail bounce or go unanswered. ATT is the big loser. Must be nice to be a company that has no need for additional customers or suppliers.
More info on the deep thinkers at ATT and other big businesses can be found in the book "The Innovator's Solution: Creating and Sustaining Successful Growth," by Clayton Christensen and
Michael Raynor. A review can be found at the Washington Post here (some non-personal info may be required before reading) (Remove obligtory Slashdot Extra Space(TM)):
http://www.washingtonpost.com/wp-dyn/articles/A
A small excerpt:
(The book) offers a funny look back at how AT&T threw away $50 billion in just over a decade on doomed identity changes.
After exiting the local phone market in 1984, AT&T first tried to become a computer company, buying NCR for $7.4 billion only to sell it five years later at roughly half price. Next it entered the cell-phone market by acquiring McCaw Cellular for $11.6 billion and sinking $15 billion more into improvements. But when AT&T spun off its wireless business in 2000, the new wireless entity was valued at a mere two-thirds of its investment. Then came the disastrous cable bet: A few years after forking over $112 billion to buy TCI and Media One, AT&T unloaded those assets to Comcast for $72 billion.
Yup, the dinosaur is about dead.
The adminsitrative overhead along of customers/partners/suppliers changing ISPs, moving mail servers, and etc.. will pretty much insure that AT&T mail will NOT be reliable.
-- You can't idiot-proof anything, because they're always coming out with better idiots.
So here is an excellent chance to push SPF on the masses. It solves the problem of maintaining lists. Simply tell the customers that if they don't have the excepted mail servers listed in their DNS record, the mail will be refused.
Heh, glad I still remember how to configure uucp. I'll just teach my mom and close friends how to use it and we'll have spam-free email courtesy of Ma Bell! /flex
Ma gavte la nata
Your pronouncements of doom and gloom don't wash. There is no reason to assume that if you are not *on* the whitelist you can't *get* on it. There are any number of ways to manage this sensibly.
Just as a couple examples, consider existing systems that it could be modeled after:
1) You want to join a mailing list. You send a "subscribe" message to the list owner. He looks at it and approves you, then you are able to mail to the list.
2) Many phone systems have a service where anonymous (caller ID blocked) calls hear a message saying that number doesn't accept solicitation calls, then they have the option to state their name, the name is then played for the recipient and they decide whether to take the call.
Just starting from these I can envision several ways to manage whitelists. Maybe anyone who sends a message and is not on the whitelist gets an automated reply (to the "reply" address) inviting them to send request to be put on the whitelist. The message could include some kind of text-in-image Turing test to make sure only a human can submit the right code. Valid requests would be presented to the recipient, who would decide whether to add them to the whitelist. These requests could easily be identified and treated different from normal emails.
Another interesting point is that you could start by getting a trusted whitelist from some organization, then customize it to your own needs - remove mail servers that seem to be problematic, add known trusted servers, etc. And any message you get would come with info about the mail server it came from.
If reasonable systems were set up to do this it would work. I'd used it immediately.
"I don't know half of you half as well as I should like, and I like less than half of you half as well as you deserve."
The Internet will degenerate into a fragmented, unreliable system...
That pretty much describes what the Internet has always been since day one.
According to the recording at the 800 number supplied, this was a draft email that was sent out prematurely.
Pete Carr Owner Chatmag.com
Who writes these stories? The writer should have either used quench or squelch, but not try to make up one word out of two. Reminds me of people who get 'flustrated'. You are either frustrated or flustered, but not both.
-- After all is said and done, more is said than done.
And you deserve to fucking die for being part of the problem, then telling us it's our own fault.
Thanks for using your realID at least, I'll be sure to add to my enemy list.
My old company provides satellite access to the US internet backbone. The cost is way more than a US company would pay, but third world countries don't have the infrastrusture to match the speed. Anyway, because of the overabundance of spam, we require our customers to register their mail servers and SMTP is only allowed from those mail servers. This has cut down spam complaints significantly. That's not to say it doesn't happen, but when a complaint comes in, we know who to contact to stop it. If it continues, we cut all mail from that address.
In reading the original message (included at the bottom of the later message), I think that this has nothing to do with inbound spam. Instead, I believe that AT&T is about to block its clients from accessing port 25 on servers other than those in a defined list.
This doesn't address the problem of AT&T users receiving spam (except indirectly). Instead, it is addressing the problem of AT&T users sending spam. More likely, this is addressing the problem of poorly configured and virus-infected machines belonging to AT&T clients being used as relays of spam.
This is likely in response to the "stealth spamming" that's becoming more popular: hijacking machines via virus for use as SMTP relay, DNS server, and web server. [For those interested, there's been a fair bit of NANOG discussion of this recently under the subject of "Wired mag article on spammers playing traceroute games with trojanedboxes".]
If we only took the time and effort to enforce the pre-existing laws on the books against fraudulent business practices, selling schedule II and III narcotics without a prescription, securities fraud, piracy, etc spam would lighten tremendously.
Unfortunately our present administration is only interested in prosecuting "terrorism" and anything that vaguely represents business gets a pass.
Our government, unfortunately, has a long history of tolerating fraudulent business practices couched as "aggressive sales practices" -- frequency alone isn't the reason people are pissed at telemarketers, it's the government's total denial of the scope of fraud and sleazy practices and the piss-poor resources devoted to those agencies that actually try to do anything about it (and the resource squeezes are totally political, as industry lobbyists work to starve fraud enforcement "because it hurts business.")
I think he was looking for Squelch or maybe Quash. Quelch ain't real.
> I've found that if I bounce back every piece of ...You blast people like me whose domains are in the forged headers of the spam with bogus bounces. About 1/3 of my email consists fo such useless bounces.
> true spam I get....
_NEVER_ _BOUNCE_ _SPAM_. The headers are always forged.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Ain't that the truth.
There are a few "true costs of spam" I'm seeing. One is as you point out, Balkanization (and I'm still stuck by the AOL issue, though at least I can mail by a secondary route). One is people cut off from other groups by arbitrary blacklisting policies. And yes, many of us (/me raises hand) cheered the same action when used against foreign ISPs with large spam volumes, though I still maintain that there's an important distinction between strongly prodding ISPs to clean up their act, and arbitrarially shutting out large portions of the 'Net.
Another is that the typical user is rapidly getting chased off the 'Net. Exposing your address anywhere is an instant invitation to not only spam, but viral spew, which in my experience is many times worse. Even on bad days, spam is ~150 messages. I've had 2000+ viruses at peak of Swen and SoBig, friends report far more. POP mail over dialup is simply impossible in this situation. Most of your inbound mail bounces because your inbox is full, and you spend all day downloading crap. SMTP-time, user-controlled, accountable, accurate, and effective spam and virus filtering is no longer optional. I've been trying to drill this point in to my brain-dead ISP. Usenet discussions in their forums have been obsessed with Swen.
This also means that the likelihood for people to engage in open discussions, under their real identities, is being harmed. On the debian-user and other mailing lists we've seen endless discussions over the past several weeks by people who participate and then get flooded by spam. The lesson: don't participate.
And anyone with well-advertised, long-established email addresses.... Peter G. Neuman of the comp.risks archive runs SpamAssassin over list mail and still has 90% spam in the list mail, after filtering.
I still have hopes that we can dig out of the situation. As others note: when high-up execs start losing messages, I suspect AT&T's policy will slacken. AOL, as I've said, hasn't budged, however. Filtering is still largely effective, it just needs to be pushed further out to the SMTP transaction level. And I suspect that AT&T has a good idea, poorly implemented: MTAs themselves can keep track of spam and ham (non-spam) mail, and determine what mailservers they do and don't want to deal with. Current work with exim4+spamassassin integration is a long way toward this.
And yes, I'm the submitter of the AOL Bans Mail From DSL-Hosted Servers story.
What part of "gestalt" don't you understand?
What happens when a domain expires, and is picked up by a spammer?
Or when a domain is transferred to a new IP?
What about when a spamer sends spam through your mail server (using a exploit, worm, Trojan etc)?
What about spamers that send spam from AT&T accounts, to other AT&T accounts.
The article didn't really cover these pretty important questions. Ill have to see what my next statement says about this.
TruePunk | Games
That would really help people putting new servers up on the internet now, wouldn't it... I wonder how long it would be before anyone would actually accept your e-mail?
Yeah, this sounds like a great idea. I am beginning to believe that AT&T's net ops dept is filled with idiots. My office is subletting space off of another company and using their AT&T business DSL. Roughly 2-3 months ago, all ICMP out of our network stopped. So, I get on the phone with AT&T. After a lot of getting bounced around to higher and higher support people, I finally get a hold of someone who tells me that AT&T is now blocking all ICMP across their network "for security purposes". Brilliant. It is not as if ICMP is a useful protocol or anything. So much for any remote monitoring of our servers with a simple ping. So much for using traceroute or ping to debug simple network problems. Now they are intending to break SMTP. Seems that by 2006 AT&T will have blocked most all Internet protocols because they are "insecure". Can't wait until the brains at AT&T decide to block TCP/IP!
Greg Whalin
greg@whalin.com
This also affects Emails (and text messages) that are sent to your cellphone. ( With AT&T your cellphone you can have a email address that is your phone number).
TruePunk | Games
Given that for every penny spent by spammers to send their junk, the cost imposed on recipients is several pennies (before even counting the costs of the time wasted just pressing delete if the spam isn't blocked), it is already the recipients who have the undue burden here. Of course senders really shouldn't be burdened, either, but then, we also shouldn't have spam but we do.
Spammers are constantly trying to make their junk look like legitimate mail. Senders of truly legitimate mail, however, will have to stay a step ahead of spammers and ensure that their mail is very distinguishable from spam. But as experience shows, things like the content of the message, and even that the sending mail server looks like a perfectly configured network, do not distinguish the sender very much at all. What AT&T is asking is that senders distinguish their mail servers to them at this point. By asking AT&T to whitelist your mail server, I presume they will grant you conditional trust. At this point, if you spam them, then they can remove you from the whitelist.
The real problem will be when every business, network, and even individual starts to do this. Imagine every time your IP address changes that you have to notify millions of other network administrators about it. What is needed is a central clearinghouse for this which is run by someone who can be trusted, and can be updated quickly. That would be like current spam blacklists, but inverted to be a whitelist instead. I've said as much as 5 years ago that we would be headed that way. It looks like AT&T has turned in that direction. Now we just have to make the whole thing manageable and scalable.
now we need to go OSS in diesel cars
I heard this all the time when researching RackSpace and other service providers. (Oh no, here come the hordes of knee-jerk anti-RackSpace folks who are treading in the past... spew your venom elsewhere, RackSpace is not the real point of my argument here.)
... as a legitimate, non-spamming company that sends out huge volumes of email to our members that request this email (we manage many lists), I am *GLAD* RackSpace doesn't just "cut the cord and ask questions later." We have seen first-hand invalid spam reports against us. Either by pissed off competitors, or by clueless people that received a copy of our email from one of our members that was infected with a virus.
The main problem I found is just the sheer volume of spammers signing up for accounts. And the fact that these spammers also sign contracts with the providers that cannot simply be broken by the provider, there must be proof provided of spamming, due process, and the account cancellation. Otherwise the provider faces lawsuits.
And let me say this
But I digress...
From the 'public' side, if RackSpace kills 5 spammers a day and 5 or more sign up a day, it appears that RackSpace is a spam haven, even though they are cancelling accounts left and right. What else can they do? The anti-spam zealots, frothing at the mouth, spew forth truth
and lies mixed together to paint the awful picture
that they want of any company that hosts any spammers whatsoever, irregardless of whether that company kicks them off.
(Can you tell we hate the blacklists like SPEWS?)
As long as our governments are only willing to enforce the laws that make them money, the problems that plague our society will continue.
I am all for making spamming illegal -- it has a negative affect on people outside of the spammer.
But the argument above used is extremely weak, and is the kind of thing someone would say to prohibit alcohol consumption, keep gays from being legally married, ban abortion, etc...
Yes, a web of trusted mail servers is needed. The problem is that there still needs to be some quick way to revoke the trust. You know spammers will set up decoy ISPs, get them whitelisted, and eventually use them to spam. However long the revokation process takes, that's how long they get to spam. And they won't stop at just one. Many spammers are known to have many colocation or high speed access accounts ready for when they get disconnected so they can rapidly shift over to green pastures and keep the pink blob rolling.
It looks like the day is coming where we "blacklist" 0.0.0.0/0 (the whole internet) and then whitelist what you trust, or what someone whom you trust trusts. DNS based whitelists may be where we go with this. But we do need to find a solution to the obvious problem of a whitelist which is that if the name servers go down (such as due to massive DDoS attack by spammers), mail stops flowing. While they did attack DNS based blacklists to cause them to either be unavailable so the spam would get through, or in some cases be permanently shut down, the could just as easily attack DNS based whitelists to make them something people won't want to use (because that attack cripples email entirely). Since DNS based whitelists are in a better legal position than blacklists, it may be easier to get a lot more companies on board and make it so widely distributed that DDoS attacks will be ineffective.
now we need to go OSS in diesel cars
Found that Xwall, stops most of the spam from reaching our servers. No need for another protocol, but I recommend not using the open relay list as part of the filter. So many of the recent viri have caused even lans without an actual email service, to be placed on the list. Cheap and easy to configure. I am sure others have tools that help on the server level.
karma, hah...
I thought the same thing but about their use of telemarketing or unsolicited phone calls. Apparently what is good for the goose is not good for ma bell.
I am network admin for an ISP, and I manually block many domains and IPs that I deem to be spam sources. Unfortunately one of the biggest offenders has been attbi.com, AT&T Broadband. At the moment, our mail server accepts no traffic from attbi.com. And I have gotten a handful of complaints from customers who can't get mail from Grandma or whoever. But what alternative? - there were times in the past when hosts in attbi.com would pump tens of thousands of garbage messages into my mail queue a day and seriously impact the delivery of legitimate mail. Multiple-hour or day-long delays for mail delivery is totally unacceptable. I tell people that their acquaintence using AT&T broadband needs to complain to AT&T. I know that if I find a customer of ours spamming, I not only disable their service, but verbally berate them. It's abuse of service, and AT&T needs to watch who plays in their pool too.
AT&T no longer has a broadband ISP. attbi is owned by comcast, and is not affiliated with AT&T.
Usually if they don't accept your mail, it is because you have configured the mail-server wrong. You would be surprised to find how many mailservers that have wrong reversed DNS lookup routies etc.
.
Check your mailservers domain address with DNS report and act accordingly.
You also might want to follow up checking if your domain is blacklisted using the spam database lookup at
Mailservers may are for certain getting harder to run, but the little guy can still play if he really want to go through all the now required steps...
OUTBOUND emails should _automatically_ have their recipient mail server added to the OK list.
So you add mailin.mx.domain.com to your whitelist, but that domain sends all its outbound mail from mailout.mx.domain.com.
This is an extremely common setup on large sites, because inbound and outbound mail have totally different requirements. Once you need more than a couple of mail servers, it makes sense to separate them so you can use the right tools for each job.
Inbound mail servers need to accept SMTP connections from the Internet, need to filter mail, don't need to canonicalize or masquerade addresses, and need not to allow relaying or SMTP AUTH. They should probably be put in a DMZ, since it's accepting internet connections. They could probably benefit from fast spooling devices to handle sudden increases in incoming traffic.
Outbound mail servers need not accept any connections from the Internet, and need not filter mail (unless one wants to be nice). If they are accepting submissions directly from your clients (rather than that being delegated to a third set of servers), they need to perform address canonicalization, masquerading, and other header munging, and they need to allow relaying from a set of IPs and/or allow SMTP AUTH. They probably need more spool space, and possibly structured queues, to hold delayed mail.
It's a ridiculous assumption to make that servers performing these two distinct tasks would be using the same sets of IP addresses.
If you make that assumption, and start blocking mail based upon it, you will find that you are no longer able to receive mail from AOL, Yahoo, and other large mail providers. That's not going to make your users happy, and if you're a professional mail admin, blocking vast amounts of legitimate mail is a good way to be forced into a career change.
Interesting feature of being connected through AT&T is the free firewall they provide. Unfortunate that it only applies to port 25, but hey .. you've got to start somewhere, right?
... but you get what you pay for (to wit: slashdot).
No really, this is not as much of a bad idea as it is a bad place to do it. These filters should be pushed out closer to the edge of the network where administrators can make the call about what is permitted into their own network. Yes, most sysadmins are painfully clueless and that translates into cost for their employers
AT&T Broadband no longer exists, and attbi.com is not AT&T. It's Comcast.
Confusing, yes, but that's how things go these days of spinoffs, mergers, and acquisitions. (AT&T spun off their broadband division, which bought a bunch of people, got involved in the @Home fiasco, and was in turn bought by Comcast. The domain name is just there because of inertia -- all the attbi.com customers send their checks to Comcast.)
You can, BTW, block most spam from ATTBI while preserving most legit mail by blocking just client.attbi.com and client2.attbi.com, instead of the whole attbi.com domain.
There are an estimated 10 million mail servers in operation right now.
.sig
The average life time of an IP for a server is approximately 1 year.
If the whitelist was comprehensive, it would require around 25,000 updates per day.
If updates are automated, then spammers can add themselves.
If updates are checked by a human, then you'd need a staff of about 100 people working full time doing nothing but verifying the IPs.
In the AT&T case, they might limit the list to 10,000 servers or so.
That's still a couple dozen updates per day, which means at least a part time employee who does nothing but update their white list.
Either employee's will start using their personal email addresses for work related email,
or AT&T will give up on this PHB idea.
-- this is not a
When is the last time you've gotten spam from hotmail.com, yahoo.com, or any other popular free service like this?
I've gotten plenty forged email headers that show hotmail.com and yahoo.com, but I've never gotten a spam message from either. Why? Because if 1 (ok, maybe 2) people report the account as spamming, it gets canned.
Accepting mail from these services will not pose a serious spam threat. At least until spammers can create a script to create the accounts and send the spam. Sites like Yahoo and Hotmail are actively trying to prevent these (to get their ads through to the real customers, if nothing else).
uh guys, how do you know that email comes from ATT? Don't you think it's a little ironic that here we are debating the problem of people faking emails and taking seriously some random email?
Go ahead and reply, you may end up putting your IP's on a Preferred Sucker list for some worm writer.
Just saw this email.
Date: Wed, 22 Oct 2003 14:43:59 -0400
From: Steve Bellovin
To: nanog@nanog.org
Subject: Re: Heads-up: AT&T apparently going to whitelist-only inbound mail
AT&T STATEMENT - CURRENT SPAM ATTACK - 10/22/03
AT&T and a number of other large companies have seen a marked
increase in the amount of incoming SPAM in recent days. A team of
experts that includes members from AT&T Labs, Network Services,
and Corporate Security has implemented a number of procedures to
remediate this situation and minimize its impact on those trying
to send e-mail to "att.com" addresses.
As of this morning - Wednesday, October 22nd - the level of incoming
e-mail messages is returning to normal and the situation appears
to be well in hand. Although all AT&T e-mail servers are fully
operational at this time, some incoming messages are experiencing
intermittent delays as SPAM filtering continues at all network
gateways.
Customers who received e-mail bulletins from AT&T Monday and Tuesday
requesting specific information are advised to disregard those
messages. They were inadvertently sent out in error and we apologize
for any confusion or inconvenience they may have caused.
Network reliability is one of our top priorities at AT&T, so for
obvious reasons we will not be providing more detailed information
regarding the specific security procedures implemented to curb this
SPAM attack. We have no intention of helping those who generate
this type of computer and Internet mischief.
If my ISP blocks any of my traffic, I'm switching to another ISP. If all ISPs block traffic, I'm going with wireless, packet radio, etc.
The use of certificates give a number of options -- you could trust the usual root CAs, and you could also choose to trust certificates that you yourself sign, or signed by some other trusted third party. Somebody like MAPS or SpamCop or AT&T could provide signing services, offering to sign for a fee, for a bond, or (getting back onto the current AT&T topic) only sign for their customers and partners.
However, spammers routinely do try to turn ordinary personal broadband-connected PC's into spam-transmitting SMTP clients, and these would be machines that would not normally have a valid "SMTP Certificate" assigned to a static IP (if they have a static IP at all), and thus would not pass even the most basic trusted client certificate check.Hackers who build up a zombie army of hundreds or thousands of compromised Windows hosts are not likely to go out spend $$ to purchase a signed certificate for the (short-lived) IP address of each zombie.
Corporations who manage a couple (or a couple dozen, in the case of AOL) separate outbound SMTP gateways would likely not have a problem with paying a few bucks per server to have them "bonded" by one or more CAs. Abuse the privilege and you forfeit your bond.
I do not deploy Linux. Ever.
- Encrypted with your public key
- Signed by one of your "trusted signers" using their private key.
The first requirement allows any random stranger to send email to you, if they are willing to put in the extra work and CPU cycles to obtain your published key and encrypt with it. This knocks out the broadcast mass spam mailings.-or-
The second requirement provides a workaround for legitimate mailing lists and other broadcast messages -- when you sign up for a mailing list or sign up for Aunt Martha's christmas letter, you can add them to your list of trusted signers.
The major problem remaining is how to get the Aunt Martha's of the world to start using PGP/GPG...
I do not deploy Linux. Ever.
Disclaimer: This isn't an official AT&T statement, I'm not a lawyer or even wearing a tie, and the *real* Anonymous Coward actually works at a different office.
What it did was affect whether or not mail you sent to joe.random.employee@att.com got heavy spam filtering (on the mail servers that were getting pounded to death and might lose mail) or whether you got sent to one of the servers that did less spam filtering and wasn't getting pounded.
So even if a few spammers got themselves whitelisted, that wouldn't be a big problem because the filtering can handle them (plus they'd be coming from known IP addresses which could be blocked or de-whitelisted). But for some customers who are ISPs or email providers, it's a lot tougher to do the job right - they'd really want to
- permit email from sysadmin@bigisp.example.net to wholesale-fiber-sales@att.com
- deny forged email pretending to be from got.viagra@bigisp.example.net that really came from some hijacked Korean relay
- do some filtering on email from joe-random-user@bigisp.example.net to random-employee@att.com
and it's hard to do that really well.Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Sometimes my laptop is at work and I want to send email from my home email account. So I tell Eudora to use the SMTP server at work and it works fine, but the mail gets sent from my company's DMZ outbound mail server, rather than from my ISP's outbound mail server. RMX would break that. Other times my laptop is at home, and I want to send email with my work IP address, but that's easy, because I use a VPN tunnel to connect to my office, so it gets sent from our usual email server. (Sometimes my laptop is at home on the VPN, and I want to send email from my home account - that case looks like I'm sending it from the office...)
Sure, I could use some lame webmail form at my ISP to send email from, but that's really annoying, especially if I'm replying to a message that I've received on my POP3 or IMAP email client rather than composing a new message.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
While it was apparently a bandaid that they were evaluating and decided not to deploy, the big problem was that the level of spam they were getting was overwhelming their current spam filters, so real email was getting dogged down into unreliability anyway. The alternative to blacklisting is to do heavier filtering on people who aren't whitelisted (and lightweight filtering or monitoring even on people who are...)
"Those e-mails went out in error. They never should have been sent. We have apologized and we're requesting that customers disregard them," AT&T spokesman Dave Johnson told internetnews.com.
"It was an honest human error. Sometimes, folks makes mistakes," Johnson said.
It might make it slightly easier to find the dork that had its box taken over to spammers, but simply using the IP address in the first Recieved-header usually works just as well.
The problem with this approach, and many others, seems to be that the goal is stated as "make life harder for spammers". That is easy. But the real goal should be "make e-mail usable again", without harming innocent users just as bad as spammers.
Programming can be fun again. Film at 11.
I've read a lot of the traffic here, and I'm surprised that so many people still just don't get it.
The only way to deal with spam is to end its anonymity. Any method you choose: white list, black list, heuristic filter, blocking server names, blocking server types or Net access methods etc are all gonna fail.
First, some unsolicited email is welcome. So there has to be a way to get welcome unsolicited mail (the comments below about the ATT exec and ATT marketing people wanting to get blocked mail make that point.) So there will always be holes in the wall blocking spam.
Second, spammers are persistent, and can engage in nearly costless experiments to penetrate spam barriers. Actions taken to block the less persistent will breed fewer but more aggressive and persistent spammers. (That's also why laws can't work. They only work on the law-abiding. Only outlaws remain, routing through China.)
The only thing that will solve the spam problem is authenticating the sender. This could be over in a matter of months. If AOL and MSN were to provide digital signatures to their subscribers (they already have authentication information for them), and offered to block any incoming unsigned mail, everyone else would have to sign their mail in order to reach aol and hotmail accounts. In ATT's case, if they were to provide a digital signature to each users account, and only use the whitelist filter on unsigned, incoming mail, they would also foster the end to anonymous email, and, as night follows day, to spam.
In that environment, the various countermeasures actually work. Or you simply block any unsigned mail, and pursue any signed spam through laws or civil action.
The rub, of course, is that ATT, MS and AOL send out their share of spam......
the standard thing in corporations is for email to be "look at me" or "cover my ass".
It reminds me when I worked for Compaq after being bought as part of DEC - the standard practice in Compaq was to send email and then call to ask if you gotten it and read it.
But then again, email at Compaq was very different from at DEC (although DEC had been devolving) in that it wasn't uncommon to get dozens of content free "action" memos a day addressed to a hundred people who had absolutely nothing to do with the issue other than being some form of manager, consultant, adminstrative staff,....
All my experience since indicates that email has truely replaced the interoffice memos that merely consumed forests. Of course, there are some people in corporations who have their admins print the email and file it. And best of all, neither the email or the paper copy is actually read....
Why can't I just run a wire into AT&T's switch room and connect to the internet?
Instead I'm forced to deal with some ISP who already part of the internet core "club".
What AT&T is doing is simply forcing a similar structure on SMTP connections.
If you want to send mail to AT&T you either
1) go to the trouble of peering with AT&T
2) become an AT&T customer
3) be a customer of someone who peers with AT&T and send your email through their relay.
Of course this is the start of a system for charging for sent email. AT&T will allow its customers to send only x messages per month for a given service charge. Other ISPs will do the same.
What will be interesting is what happens at yahoo and MSN where certain email related services are still "free".
My guess is that yahoo has the critical mass to negotiate with the likes of AT&T - AT&T wouldn't want to piss off its customers by demanding a big fee from yahoo to accept email from yahoo, but AT&T wouldn't hesitate to demand payment from potential competitors to yahoo. This will strengthen yahoos hold on these services, making it impossible to bill yahoo for mail sent.
The likely outcome is the consolidation of the email system into a core set of relays and relays that accept messages only from affilliated relays - ie customers.
In any case, its unlikely that the change will have an adverse affect on 99.9999% of all internet users, just as the consolidation of the internet core to a small number of corporations has affected 99.99% of the users who were part of the internet before formation of and consolidation of the core.
I won't try to argue with that.
But where do the people who *do* know shit technically hanging out now? Certainly not K5...
Sure, there might be a few actual cipherpunks hanging out chatting on SILC, but I'm more interested in message boards than in realtime chat. I'm on BOFHnet, but that's devolved to a social clique of bitten unemployed sysadmins.
Suggestions?
I do not deploy Linux. Ever.
This is a perfect example of how to over-react to a problem. "Well I don't like the game, so I am just going to take my marbles and go home". "Anyone who I care about already knows me". Isn't part of the greatness of the Internet the openness? Isn't it about finding connections and people you didn't know existed? Cut off your nose despite your face. This approach from AT&T is too heavy handed. But I understand their frustration.