Slashdot Mirror
AT&T Moves Toward Mail-Server Whitelist
Gunfighter writes "In an apparent attempt to quelch the amount of incoming spam, AT&T has asked their customers, partners, and business clients to provide them with IP addresses of their mail servers. All other mail will be discarded. To quote the message: "... In order to continue to allow email to AT&T you need to provide the IP addresses of all your outbound email gateways. If you do not respond immediately, your access may not continue.""
And it's been blocking email I send to my work account! Now I understand what's going on.
Personally, I can't see this working very well.
Complete shock and disbelief at the first e-mail (the dreadfully short message at the bottom).
Has anyone actually called and confirmed with the 1-800 number that this truely is AT&T, and it really is what they are saying? I'm not sure I'll believe it until I see the e-mail actually start bouncing. That's clinically insane. Do they seriously believe they'll be able to pull this off? You mean ever time a small company creates a new mail server they'll have to contact AT&T with the outgoing SMTP servers? If this starts a major trend, you mean I'll have to contact lots of major ISP's to send mail to them?
Assuming this it to stop SPAM (what else could it be?), what's to stop a spammer from just calling up and saying I'm a legit mailer set me up? What do I do when I get assigned the IP from the old spammer? What will there policy be on setting you back up? Will there be an official form? How can they tell the Spammer just isn't dupping them a second time with a fake business?
This sounds like a terrible idea, and like their security people haven't really thought this through. About the only thing I like about it, is that it is a sign that major ISP's are starting to play hardball. I'm curious if one of their net admins was behind some of the major black lists that just got DDoS'ed off the net. I hope they accept e-mail from anybody with a legitimate MX record at least. At least for a little while. I can't believe they aren't going to do a black list instead of a white list.
What's the over-under on how long this takes to get pulled the plug on? There's no way this will last. It'll be a world class disaster. My guess is it won't last 15 business days.
Kirby
After a few months of operation, it will become obvious that this plan is a disaster. Spam-friendly ISPs (and there are many with legit customers too) will still get on the whitelist, so incoming spam will not cease. But in the meantime, smaller ISPs around the world will get mighty pissed because their mail is rejected.
However, if you run your own mail server you will get quite annoyed, but all hope is not lost. Here is a brilliant solution for postfix that will let you deliver mail specifically bound for, say, attglobal.net through your ISP's hopefully whitelisted customer-use mail server instead of direct delivery. So AT&T will see your ISP's mail server connecting for this mail, while all your other mail can be delivered direct.
I'm mighty disappointed in AT&T. This move further commercializes Internet connectivity by giving big business the green light to send any mail while blocking all the small guys. Seriously.
AT&T has asked their customers, partners, and business clients to provide them with IP addresses of their mail servers.
Call me dense, but why not simply accept mail only from registered mail handlers? I would also do the filtering based on the connecting server's domain MX and the From header's domain MX; neither is registered, you give a 550 error. That would stop 99% of the spam (that I get, at least) right there. Especially the virus spam that tries to turn any random Windows box into an SMTP server.
I find this very hypocritical. ATT is a major service provider for spammers, mostly through their broadband service. I know because I have my own blacklist and there are hundreds of Class C blocks with ATT. ATT is very lax with enforcing any AUP they may have.
Um, while I'd like to believe you, it doesn't look that way to me.
dig mx att.com
then telnet to port 25 for each MX host
I get no response from any of them.
It's a crying shame we've gotten to this point, I've been waiting for it for at least a year or so. All because of a bunch of greedy lowlife spam-spewing bastards who decided to capitalize on a resource to which NONE of them likely ever contributed anything of any value.
The IETF really needs to re-engineer SMTP, a la djb's model or something akin to it. Make these spam bastards pay for their putrid abusive ways!
--rc
Just so that this is absolutely clear. It is my understanding that they are asking customers on their IP networks for this information. That is: they want to know the IP addresses on their IP nets of SMTP servers to whitelist incoming and outgoing mail for. I believe this mail went out to their large (enterprise?) customers which includes many downstream ISPs.
Could anyone tell me if this letter also went out
to customers that manage their own IP nets but buy upstream connections from AT&T. For example, ISPs that are LIRs for their own nets.
If VeriSign really cared about innovating and improving the net, this is the sort of thing they should be working on.
I think you just found the solution to the spam problem: What if mail servers needed to have a PK certificate before mail server would relay mail for them? Also allow mail-admins to specify what CAs they trust certificates from...
The biggest problem is ATT will have to administrate this. If a (legitimate) domain switches IP addresses on their outgoing SMTP server (it happens), ATT will have to deal with it by setting up some kind of structure to accomodate such changes.
Forcing domains to declare from what SMTP host legitimate mail will come from is actualy a good idea. It has been proposed before, in the form of SPF:Sender and RMX. Either would do the job (technical quibbles aside), and would accomodate the end goal ATT is trying to achieve.
This scheme will last as long as it takes for one of the Brand New Spam Viruses to infect a billion computers across the internet that use these whitelisted servers.
As long as our governments are only willing to enforce the laws that make them money, the problems that plague our society will continue.
Seriously. Call up your local police office and report the 50 spams you got. Call the FBI. The FCC. The FTC. Call as many government offices as you care to until you're blue in the face. They all have some law that they should be enforcing that Spam breaks, but they're not interested.
Fix the problem, people, not the symptom. If you elect some leaders that will actually enforce laws that make the average citizen's life better, Spam will go away, along with a litany of other problems just like it.
That, or just keep voting for the same politicians that are in the pockets of the corporations, and these problems will persist.
fifth sigma, inc.
The vast majority of servers will be caught by the white-list. The very few who are smart/dumb enough to register on it can easily be handled by the blacklist - and, since assumedly the whitelist registration contains contact information, possibly be held responsible for their spamming.
Switch back to Slashdot's D1 system.
That's what I was thinking, but it looks like RMX is dead in the water, the link to the memo from the IETF ASRG website goes 404.
Looks like TLS (SMTP over SSL with client and server certificates) is our only hope. I was at a recent Open Group messaging conference (formerly X.org) where the main topic was spam, and there is definitely interest in this approach.
I do not deploy Linux. Ever.
Sender Permitted From, a handy little concept whereby DNS servers for domains publish lists of what servers are vouched for, so to speak. By only accepting email from servers which implement SPF, you reduce spam a lot. With SPF, if anyone is doing spam, it's very traceable and prosecuteable. You also cut down on people trying to fake identities.
If everyone implements SPF, it'd solve this problem in a fairer way.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
This is a form of the Byzantine Generals problem. The summary of the problem as I read it (and this was someone analyzing how to attack P2P networks trying to keep forgeries (eg. RIAA planted fake songs) out) Essentially, the problem's solution was such that so long as 2/3 of the 'generals' or hosts on the network are 'good', ie. in our case not spammers, the spammers lose. You can search the slashdot archives if you want, I'm too lazy.
I fundamentally believe that this is the real solution to the spam problem, (although Naieve-Bayes filters are pretty good) but nobody has started to create the list.
Yes, I know under this scheme you can't easily send mail direct from your leet home xchange server. Proxy it through your ISP's mail server. Thats not exactly rocket science.
[1] Configure your reverse mappings for your Internet-facing machines properly. That way we can start checking on reverse lookups which would stop Joe Lusers Windows box on DSL being turned into an SMTP engine.
I know that people can trivially configure their own DNS servers and spoof the forward and reverse mappings, but at least there needs to be an administrative contact on the SOA record and on the WHOIS information; which is something
[2] Get rid of the un-needed use of HTML emails. There is no need for half of the formatting and dross in emails. ASCII does just fine, and provide a link to a website if you need to woo people with eye candy.
[3] Undo some of the supposed "intelligent" behviour of email clients. They should display text first, and do everything else (play sounds, render HTML) as a user-invoked extra
[4] Make it a "must manually do" option to allow SMTP servers to allow relaying from anything other than their internal interface and IP range. Too many products come too open out of the box
[5] Use the TXT record or something similar for SMTP servers to list which domains they serve. That way receiving servers performing a forward/reverse lookup for verification will also be able to see if the domain in the email has been spoofed.
___FutureShoks___
A lot of sort of unrelated things have been happening lately that indicate an instability in the philosophical underpinnings of the Internet. It used to be that the idea of sealing off access to areas of it would be completely anathema, as much as the idea of someone doing something like Verisign's recent Sitefinder profit-play.
We're reaching the point where it's no longer considered completely out of the question to discuss blocking access to non-offenders. It's gone from being okay to block SMTP traffic from "non-static IPs" to being okay to block traffic from "anyone who's not on our exclusive list" within a period of months.
Verisign has done the previously unthinkable by modifying major functions of the DNS system without so much as a "by your leave". And having gotten their hand smacked, rather than admit any wrong doing, they are politicking in the media to lay the ground work for efforts to wrest complete control of the process. What will they decide they have a right to do next? And if they get away with it, what are other (backbone providers/ISPs/you name it) going to try to see how much they in turn can get away with?
And it doesn't look like too many people are thinking ahead to where these trends will go if not arrested. The Internet has functioned as well as it has for as long as it has because by and large the big players have all followed the rules, customs, and generally accepted way of doing things. If they all start to do whatever they please at the moment, will there still be an Internet?
Quoth he
"It's all academic anyway..."
AT&T three years ago were caught out when a "pink contract" they held with Ronnie Scelson's Cajun Hosting was brought to light by anti-spammers on news.admin.net-abuse.email. Now they're going to do something about the spam hitting their user's inboxes.
Less spam would hit their user's inboxes if they were to sever all ties with their pet spammers. It's my own hog-fucking opinion that AT&T still has plenty of pink paper over there and are still helping spammers to stay in business. However, money still talks the loudest. Those spam contracts usually bring double or triple the going rate to ignore complaints.
Ain't that the truth.
There are a few "true costs of spam" I'm seeing. One is as you point out, Balkanization (and I'm still stuck by the AOL issue, though at least I can mail by a secondary route). One is people cut off from other groups by arbitrary blacklisting policies. And yes, many of us (/me raises hand) cheered the same action when used against foreign ISPs with large spam volumes, though I still maintain that there's an important distinction between strongly prodding ISPs to clean up their act, and arbitrarially shutting out large portions of the 'Net.
Another is that the typical user is rapidly getting chased off the 'Net. Exposing your address anywhere is an instant invitation to not only spam, but viral spew, which in my experience is many times worse. Even on bad days, spam is ~150 messages. I've had 2000+ viruses at peak of Swen and SoBig, friends report far more. POP mail over dialup is simply impossible in this situation. Most of your inbound mail bounces because your inbox is full, and you spend all day downloading crap. SMTP-time, user-controlled, accountable, accurate, and effective spam and virus filtering is no longer optional. I've been trying to drill this point in to my brain-dead ISP. Usenet discussions in their forums have been obsessed with Swen.
This also means that the likelihood for people to engage in open discussions, under their real identities, is being harmed. On the debian-user and other mailing lists we've seen endless discussions over the past several weeks by people who participate and then get flooded by spam. The lesson: don't participate.
And anyone with well-advertised, long-established email addresses.... Peter G. Neuman of the comp.risks archive runs SpamAssassin over list mail and still has 90% spam in the list mail, after filtering.
I still have hopes that we can dig out of the situation. As others note: when high-up execs start losing messages, I suspect AT&T's policy will slacken. AOL, as I've said, hasn't budged, however. Filtering is still largely effective, it just needs to be pushed further out to the SMTP transaction level. And I suspect that AT&T has a good idea, poorly implemented: MTAs themselves can keep track of spam and ham (non-spam) mail, and determine what mailservers they do and don't want to deal with. Current work with exim4+spamassassin integration is a long way toward this.
And yes, I'm the submitter of the AOL Bans Mail From DSL-Hosted Servers story.
What part of "gestalt" don't you understand?