Slashdot Mirror
AT&T Moves Toward Mail-Server Whitelist
Gunfighter writes "In an apparent attempt to quelch the amount of incoming spam, AT&T has asked their customers, partners, and business clients to provide them with IP addresses of their mail servers. All other mail will be discarded. To quote the message: "... In order to continue to allow email to AT&T you need to provide the IP addresses of all your outbound email gateways. If you do not respond immediately, your access may not continue.""
And it's been blocking email I send to my work account! Now I understand what's going on.
SMTP email was nice while it lasted.
Semaphore, anyone? Smoke signals?
News for Nerds. Stuff that Matters? Like hell.
..the spammers to get AT&T to whitelist their IPs?
is a few span servers to get on the list, and a few legit servers to get hacked and taken off the list (and tries to get on again) before there will be hell and ATT would have to abandon the plan, wasting all these time and resources used to instate this plan in the first place.
Great shame, really...
My life in the land of the rising sun.
I had an "unpublished" landline phone number, and chose a third-party carrier for my long distance service. AT&T called me every week as long as I had that phone line, trying to sell me long distance service, no matter that every time I called, I said "no" and told them to never call again.
It seems that AT&T thinks that if you don't want to do business with them, then they automatically deserve to be on your whitelist.
Voice spam is just as bad as email spam. Even worse, since you can't deal with it on YOUR time.
Give me my freedom, and I'll take care of my own security, thank you.
Personally, I can't see this working very well.
On the other hand, there are other approaches just as destructive.
I run an outbound SMTP server for my own personal use, in part because my ISP's SMTP server sucks.
At times, it could take 30 or more minutes to relay an email to myself.
One of the problems with this is that apparently I got listed on some kind of dial-up user block list, and my mother's ISP blocks those users from sending to its users.
The downside is that my mother's ISP also blocks my ISP's SMTP server.
Isn't that useful.
Remove the caps and hold to a mirror.
This can't be right... Most businesses have no idea what an IP address is, let alone the IP addresses of people who send them email... It sounds like an utterly stupid plan. What's to stop spammers sending them IP addresses of their mail sending boxes or open relays?
I wonder how the people on AT&T's ISP networks are going to feel about not being able to communicate with mom and dad in Singapore? And all those folks (or those few folks, I suppose, depending on who you hang with) running personal SMTP services from their homes for the added privacy it buys them.
Yes, there's a lot of trash spam out there. It's NOT impossible to stop, but solutions like this one are not going to substantially help. If AT&T closes off its mail network to the world outside, those broadband customers running open proxies just become that much more valuable - then ATs own customers become the conduit of the spam they are trying to squash. There are thousands of "questionable" usenet posts that originate from roadrunner and AT&T and pacbell and earthlink usenet servers that are proxied there through their own broadband customers. Even locking those customers down to port 80 access won't stop trojans and backdoors, so logically I guess this is just the first step to AT&T closing off its network from the internet entirely?
Maybe they'll just firewall all their customers in and dish out the DMCA approved web pages through proxy farms... that'll teach those evil spammers!
I'm oversee an it department. While we're lucky enough to have a highly technical user base there are still users that need a little help. And some of them will have to write at&t.
"Solutions" like this do little to stem the tide of spam, they only shift the burden to others. Now, in order to ensure that my users can send email to the customers and contacts they need at att&t, I have to keep them up to date with our whereabouts on the net?
Earlier this year we had to deal with a spat of denied messages cause when a number of large organizations blocked our entire address block because they believed it was a DSL block. This was the only reason. Not that spam originated from any of these addresses,
The only way to stop spam is to stop the spammers. The only way to stop the spammers is to stop those that pay them or otherwise make money trough the spam.
\Drew National Data Director, John Edwards for President
This is really a lose-lose situation and it's disappointing to see this. If there's going to be a concept of trusted mail servers, we need to use a technological solution that allows easy, open, and transferable trusted participation in the network - maybe for once an application where a web-of-trust would actually function. Even the current system with centralized, subscription-based blackhole lists is far better - at least you only have 5-10 different places to go if you end up on somebody's shit list.
In the dark world of the future you'll have to fight your way through bureaucracy and stupid sysadmins (and yes, the vast majority of sysadmins are fucking idiots, though I know that's not a popular opinion around here) for each and every company, organization or domain you want to send email to. That sounds like an infeasible, unmaintainable system to me.
Personally, I find the spam filtering on my fastmail (www.fastmail.fm) account to be incredibly reliable and effective, and I've found that if I bounce back every piece of true spam I get, over a few weeks or months, my rate of incoming spam seems to decrease substantially. We can do better, and we will beat the spammers, but we don't need to throw out the baby with the bathwater.
But, if you wish to become an ATT customer, how do you contact them?
I have no wish to phone them so they can get my phone number, which they will use to call me every 5 days trying to get me to switch my ld to att.
A week ago I decided that it would be interesting to setup my own mail server, hell, fun even. Interesting yes, fun no. I started with sendmail and ended up with qmail.
m l?tid=120).
I was so proud of my new server, it was so, well, new. I go to send out a test mail and alas earthlink would not accept it, hmm. Then I sent one to my yahoo account, nope. Hotmail? You guessed it. What's the deal I asked. Googled a bit, found that slashdot discussion (http://yro.slashdot.org/yro/03/04/13/2215207.sht
I started to realize that email is no longer a tool of the little guy. I send my mail through my earthlink server which works but now I must watch my volume (no mailing lists hosted here I'm afraid) because of my 'terms-of-service'. Something about being a little guy or something like that.
Now the last barrier is up. I wonder if ATT would put me on their list?
I have my own domain and run a MTA on my Linux box that is on DSL and gets its IP via DHCP. The IP almost never changes since the server is always on. I bet this is the same configuration as other
Anyway, I am starting to get bounces from certain organizations (AOL, Primus) that seem to think my messages are spam. Seems to have something to do with coming from an IP that is known DHCP. This kind of sucks; whitelists and spam filters may seem good at first, but they are screening out some legitimate traffic.
FYI, this seems to be from AT&T Business Services, IE backbone and ip operations. So their customers (the people they are asking) in this case are other ISPs, datacenters, etc, and the whitelist is for sending email to AT&T itself. This has nothing to do with other AT&T services (remember, "AT&T" is essentially about a hundred different companies that happen to share the same name), so this should not affect some grandma trying to send to an attbi account. That being said, whether what they're doing is good remains to be seen.
(Interestingly enough, I *DO* work for a datacenter that has IP and transit services through AT&T, and have not received one of these emails yet...)
I've said it before, and I'll say it again. We need to dump SMTP and switch to something like Internet Mail 2000. The sooner we do it, the better. Some people here have voiced concerns, but I'm convinced that this proposal is well thought out and will work. Any inconvenience (which would be minor, and only for a small fraction of users) would be trumped by its benefits, by a wide margin.
Anyone know if anyone is actually coding up a sample server and client for IM2000? A google search for "internet mail 2000" comes up with some proposals that go beyond Bernstein's site, but I haven't seen any evidence of code yet. It really shouldn't be that complicated and, yeah, I'd be willing to help!
I read between the lines as:
Greetings Customers and Partners,
There is too spam, so we fired everyone in IT. We've got some temps, led by secretaries, who will now rebuild and maintain all AT+T messaging platforms. Please send your IP addresses as we will need to ping you next week to see if you're still a Parntner/Customer.
Best regards,
"
Complete shock and disbelief at the first e-mail (the dreadfully short message at the bottom).
Has anyone actually called and confirmed with the 1-800 number that this truely is AT&T, and it really is what they are saying? I'm not sure I'll believe it until I see the e-mail actually start bouncing. That's clinically insane. Do they seriously believe they'll be able to pull this off? You mean ever time a small company creates a new mail server they'll have to contact AT&T with the outgoing SMTP servers? If this starts a major trend, you mean I'll have to contact lots of major ISP's to send mail to them?
Assuming this it to stop SPAM (what else could it be?), what's to stop a spammer from just calling up and saying I'm a legit mailer set me up? What do I do when I get assigned the IP from the old spammer? What will there policy be on setting you back up? Will there be an official form? How can they tell the Spammer just isn't dupping them a second time with a fake business?
This sounds like a terrible idea, and like their security people haven't really thought this through. About the only thing I like about it, is that it is a sign that major ISP's are starting to play hardball. I'm curious if one of their net admins was behind some of the major black lists that just got DDoS'ed off the net. I hope they accept e-mail from anybody with a legitimate MX record at least. At least for a little while. I can't believe they aren't going to do a black list instead of a white list.
What's the over-under on how long this takes to get pulled the plug on? There's no way this will last. It'll be a world class disaster. My guess is it won't last 15 business days.
Kirby
After a few months of operation, it will become obvious that this plan is a disaster. Spam-friendly ISPs (and there are many with legit customers too) will still get on the whitelist, so incoming spam will not cease. But in the meantime, smaller ISPs around the world will get mighty pissed because their mail is rejected.
However, if you run your own mail server you will get quite annoyed, but all hope is not lost. Here is a brilliant solution for postfix that will let you deliver mail specifically bound for, say, attglobal.net through your ISP's hopefully whitelisted customer-use mail server instead of direct delivery. So AT&T will see your ISP's mail server connecting for this mail, while all your other mail can be delivered direct.
I'm mighty disappointed in AT&T. This move further commercializes Internet connectivity by giving big business the green light to send any mail while blocking all the small guys. Seriously.
Most big corps have an army of salesmen, tech guys, whatever, roaming around the world handing out business cards with an email address printed on them. The idea is that potential customers or potential partners with actually email us and we'll do things with them that make money for the corporation. Cutting off that communication sounds like a very bad idea.
This seems pretty odd. Is this just a small division somewhere that is trying this or THE AT&T.
Even if they did come up with a complete and accurate list of non-spammer mailservers, they still need a way to continiously update it. What would they want? Everyone in the world sending them email whenever a mailserver comes or goes? (oops, no... because the new server wouldn't be on the list either.)
AT&T cannot be this stupid. I have to think that this is a hoax. The long message vouching for the credibility of the earlier, terse message supports this idea.
AT&T has asked their customers, partners, and business clients to provide them with IP addresses of their mail servers.
Call me dense, but why not simply accept mail only from registered mail handlers? I would also do the filtering based on the connecting server's domain MX and the From header's domain MX; neither is registered, you give a 550 error. That would stop 99% of the spam (that I get, at least) right there. Especially the virus spam that tries to turn any random Windows box into an SMTP server.
I find this very hypocritical. ATT is a major service provider for spammers, mostly through their broadband service. I know because I have my own blacklist and there are hundreds of Class C blocks with ATT. ATT is very lax with enforcing any AUP they may have.
The best dual boot problem solver is; dd if=/dev/urandom of=/dev/hda1 ..then cfdisk /dev/hda1 etc..
:-( too bad I have my wife won't switch yet. I have always wanted to use that command!
OH THE SHAME I fell off the wagon and use sigs again!
There are several initiatives underway to use DNS to authenticate SMTP transactions: this seems like a good way to avoid the nastiness described by the parent poster...
- http://spf.pobox.com/draft-mengwong-spf-01.txt
- http://www.pan-am.ca/draft-ietf-asrg-dsprotocol-0
0 .txt
- http://www.ietf.org/internet-drafts/draft-danisch
- dns-rr-smtp-03.txt
The article really does sound like this request is an emergency response to a specific threat - The intent seems to me to be more of a temporary bandaid solution than an attempt to alter the very fabric of email as we know it (-:Pixie
don't mess with those geekgrrls
Just so that this is absolutely clear. It is my understanding that they are asking customers on their IP networks for this information. That is: they want to know the IP addresses on their IP nets of SMTP servers to whitelist incoming and outgoing mail for. I believe this mail went out to their large (enterprise?) customers which includes many downstream ISPs.
Could anyone tell me if this letter also went out
to customers that manage their own IP nets but buy upstream connections from AT&T. For example, ISPs that are LIRs for their own nets.
I've been told that some spammers-for-hire get paid by the response.
If you complain or try to "unsubscribe", that counts as a response and increases their fee.
I was hunting around for some info on how to set procmail up to only allow the 4 domains that I get legitimate mail from when I ran across tmda. I decided to give it a shot instead and I haven't seen a spam since. I know that technically they're still coming in, but I went from 30-40 spams a day in my inbox to 0. Now I can ignore the problem until they start slipping through or they start consuming a significant portion of my bandwidth.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
127.0.0.1
I have over 70 freaks, do you?
The biggest problem is ATT will have to administrate this. If a (legitimate) domain switches IP addresses on their outgoing SMTP server (it happens), ATT will have to deal with it by setting up some kind of structure to accomodate such changes.
Forcing domains to declare from what SMTP host legitimate mail will come from is actualy a good idea. It has been proposed before, in the form of SPF:Sender and RMX. Either would do the job (technical quibbles aside), and would accomodate the end goal ATT is trying to achieve.
This scheme will last as long as it takes for one of the Brand New Spam Viruses to infect a billion computers across the internet that use these whitelisted servers.
As long as our governments are only willing to enforce the laws that make them money, the problems that plague our society will continue.
Seriously. Call up your local police office and report the 50 spams you got. Call the FBI. The FCC. The FTC. Call as many government offices as you care to until you're blue in the face. They all have some law that they should be enforcing that Spam breaks, but they're not interested.
Fix the problem, people, not the symptom. If you elect some leaders that will actually enforce laws that make the average citizen's life better, Spam will go away, along with a litany of other problems just like it.
That, or just keep voting for the same politicians that are in the pockets of the corporations, and these problems will persist.
fifth sigma, inc.
That's what I was thinking, but it looks like RMX is dead in the water, the link to the memo from the IETF ASRG website goes 404.
Looks like TLS (SMTP over SSL with client and server certificates) is our only hope. I was at a recent Open Group messaging conference (formerly X.org) where the main topic was spam, and there is definitely interest in this approach.
I do not deploy Linux. Ever.
Sender Permitted From, a handy little concept whereby DNS servers for domains publish lists of what servers are vouched for, so to speak. By only accepting email from servers which implement SPF, you reduce spam a lot. With SPF, if anyone is doing spam, it's very traceable and prosecuteable. You also cut down on people trying to fake identities.
If everyone implements SPF, it'd solve this problem in a fairer way.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
[1] Configure your reverse mappings for your Internet-facing machines properly. That way we can start checking on reverse lookups which would stop Joe Lusers Windows box on DSL being turned into an SMTP engine.
I know that people can trivially configure their own DNS servers and spoof the forward and reverse mappings, but at least there needs to be an administrative contact on the SOA record and on the WHOIS information; which is something
[2] Get rid of the un-needed use of HTML emails. There is no need for half of the formatting and dross in emails. ASCII does just fine, and provide a link to a website if you need to woo people with eye candy.
[3] Undo some of the supposed "intelligent" behviour of email clients. They should display text first, and do everything else (play sounds, render HTML) as a user-invoked extra
[4] Make it a "must manually do" option to allow SMTP servers to allow relaying from anything other than their internal interface and IP range. Too many products come too open out of the box
[5] Use the TXT record or something similar for SMTP servers to list which domains they serve. That way receiving servers performing a forward/reverse lookup for verification will also be able to see if the domain in the email has been spoofed.
___FutureShoks___
So why don't you just block outbound access to port 25 on your routers? Not exactly rocket science...
A lot of sort of unrelated things have been happening lately that indicate an instability in the philosophical underpinnings of the Internet. It used to be that the idea of sealing off access to areas of it would be completely anathema, as much as the idea of someone doing something like Verisign's recent Sitefinder profit-play.
We're reaching the point where it's no longer considered completely out of the question to discuss blocking access to non-offenders. It's gone from being okay to block SMTP traffic from "non-static IPs" to being okay to block traffic from "anyone who's not on our exclusive list" within a period of months.
Verisign has done the previously unthinkable by modifying major functions of the DNS system without so much as a "by your leave". And having gotten their hand smacked, rather than admit any wrong doing, they are politicking in the media to lay the ground work for efforts to wrest complete control of the process. What will they decide they have a right to do next? And if they get away with it, what are other (backbone providers/ISPs/you name it) going to try to see how much they in turn can get away with?
And it doesn't look like too many people are thinking ahead to where these trends will go if not arrested. The Internet has functioned as well as it has for as long as it has because by and large the big players have all followed the rules, customs, and generally accepted way of doing things. If they all start to do whatever they please at the moment, will there still be an Internet?
Quoth he
"It's all academic anyway..."
AT&T three years ago were caught out when a "pink contract" they held with Ronnie Scelson's Cajun Hosting was brought to light by anti-spammers on news.admin.net-abuse.email. Now they're going to do something about the spam hitting their user's inboxes.
Less spam would hit their user's inboxes if they were to sever all ties with their pet spammers. It's my own hog-fucking opinion that AT&T still has plenty of pink paper over there and are still helping spammers to stay in business. However, money still talks the loudest. Those spam contracts usually bring double or triple the going rate to ignore complaints.
Alright "sql rob", how about hooking them up to a third um... "DB" machine of some sort?
Your credit card information wants to be free.
Couldn't ATT scan their current email base for this same info? Sure it's going to take 1+ sets of human eyes to make sure an IP is legit but that's going to be needed anyhow to review the incoming requests to be added to the whitelist.
3 21 78-2003Oct15.html
Lets take this one step further. Six months down the road I, a future customer, business partner or supplier to ATT whom has never heard of this policy, send them some email wanting LD service for Humongous Corp, to supply widgets at half their current cost or whatever and has its mail bounce or go unanswered. ATT is the big loser. Must be nice to be a company that has no need for additional customers or suppliers.
More info on the deep thinkers at ATT and other big businesses can be found in the book "The Innovator's Solution: Creating and Sustaining Successful Growth," by Clayton Christensen and
Michael Raynor. A review can be found at the Washington Post here (some non-personal info may be required before reading) (Remove obligtory Slashdot Extra Space(TM)):
http://www.washingtonpost.com/wp-dyn/articles/A
A small excerpt:
(The book) offers a funny look back at how AT&T threw away $50 billion in just over a decade on doomed identity changes.
After exiting the local phone market in 1984, AT&T first tried to become a computer company, buying NCR for $7.4 billion only to sell it five years later at roughly half price. Next it entered the cell-phone market by acquiring McCaw Cellular for $11.6 billion and sinking $15 billion more into improvements. But when AT&T spun off its wireless business in 2000, the new wireless entity was valued at a mere two-thirds of its investment. Then came the disastrous cable bet: A few years after forking over $112 billion to buy TCI and Media One, AT&T unloaded those assets to Comcast for $72 billion.
Yup, the dinosaur is about dead.
The adminsitrative overhead along of customers/partners/suppliers changing ISPs, moving mail servers, and etc.. will pretty much insure that AT&T mail will NOT be reliable.
-- You can't idiot-proof anything, because they're always coming out with better idiots.
Heh, glad I still remember how to configure uucp. I'll just teach my mom and close friends how to use it and we'll have spam-free email courtesy of Ma Bell! /flex
Ma gavte la nata
According to the recording at the 800 number supplied, this was a draft email that was sent out prematurely.
Pete Carr Owner Chatmag.com
In reading the original message (included at the bottom of the later message), I think that this has nothing to do with inbound spam. Instead, I believe that AT&T is about to block its clients from accessing port 25 on servers other than those in a defined list.
This doesn't address the problem of AT&T users receiving spam (except indirectly). Instead, it is addressing the problem of AT&T users sending spam. More likely, this is addressing the problem of poorly configured and virus-infected machines belonging to AT&T clients being used as relays of spam.
This is likely in response to the "stealth spamming" that's becoming more popular: hijacking machines via virus for use as SMTP relay, DNS server, and web server. [For those interested, there's been a fair bit of NANOG discussion of this recently under the subject of "Wired mag article on spammers playing traceroute games with trojanedboxes".]
Ain't that the truth.
There are a few "true costs of spam" I'm seeing. One is as you point out, Balkanization (and I'm still stuck by the AOL issue, though at least I can mail by a secondary route). One is people cut off from other groups by arbitrary blacklisting policies. And yes, many of us (/me raises hand) cheered the same action when used against foreign ISPs with large spam volumes, though I still maintain that there's an important distinction between strongly prodding ISPs to clean up their act, and arbitrarially shutting out large portions of the 'Net.
Another is that the typical user is rapidly getting chased off the 'Net. Exposing your address anywhere is an instant invitation to not only spam, but viral spew, which in my experience is many times worse. Even on bad days, spam is ~150 messages. I've had 2000+ viruses at peak of Swen and SoBig, friends report far more. POP mail over dialup is simply impossible in this situation. Most of your inbound mail bounces because your inbox is full, and you spend all day downloading crap. SMTP-time, user-controlled, accountable, accurate, and effective spam and virus filtering is no longer optional. I've been trying to drill this point in to my brain-dead ISP. Usenet discussions in their forums have been obsessed with Swen.
This also means that the likelihood for people to engage in open discussions, under their real identities, is being harmed. On the debian-user and other mailing lists we've seen endless discussions over the past several weeks by people who participate and then get flooded by spam. The lesson: don't participate.
And anyone with well-advertised, long-established email addresses.... Peter G. Neuman of the comp.risks archive runs SpamAssassin over list mail and still has 90% spam in the list mail, after filtering.
I still have hopes that we can dig out of the situation. As others note: when high-up execs start losing messages, I suspect AT&T's policy will slacken. AOL, as I've said, hasn't budged, however. Filtering is still largely effective, it just needs to be pushed further out to the SMTP transaction level. And I suspect that AT&T has a good idea, poorly implemented: MTAs themselves can keep track of spam and ham (non-spam) mail, and determine what mailservers they do and don't want to deal with. Current work with exim4+spamassassin integration is a long way toward this.
And yes, I'm the submitter of the AOL Bans Mail From DSL-Hosted Servers story.
What part of "gestalt" don't you understand?
Yeah, this sounds like a great idea. I am beginning to believe that AT&T's net ops dept is filled with idiots. My office is subletting space off of another company and using their AT&T business DSL. Roughly 2-3 months ago, all ICMP out of our network stopped. So, I get on the phone with AT&T. After a lot of getting bounced around to higher and higher support people, I finally get a hold of someone who tells me that AT&T is now blocking all ICMP across their network "for security purposes". Brilliant. It is not as if ICMP is a useful protocol or anything. So much for any remote monitoring of our servers with a simple ping. So much for using traceroute or ping to debug simple network problems. Now they are intending to break SMTP. Seems that by 2006 AT&T will have blocked most all Internet protocols because they are "insecure". Can't wait until the brains at AT&T decide to block TCP/IP!
Greg Whalin
greg@whalin.com
What it did was affect whether or not mail you sent to joe.random.employee@att.com got heavy spam filtering (on the mail servers that were getting pounded to death and might lose mail) or whether you got sent to one of the servers that did less spam filtering and wasn't getting pounded.
So even if a few spammers got themselves whitelisted, that wouldn't be a big problem because the filtering can handle them (plus they'd be coming from known IP addresses which could be blocked or de-whitelisted). But for some customers who are ISPs or email providers, it's a lot tougher to do the job right - they'd really want to
- permit email from sysadmin@bigisp.example.net to wholesale-fiber-sales@att.com
- deny forged email pretending to be from got.viagra@bigisp.example.net that really came from some hijacked Korean relay
- do some filtering on email from joe-random-user@bigisp.example.net to random-employee@att.com
and it's hard to do that really well.Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks