Slashdot Mirror

← Back to Stories (view on slashdot.org)

AT&T Moves Toward Mail-Server Whitelist

Posted by timothy on from the is-it-better-than-spam dept.

Gunfighter writes "In an apparent attempt to quelch the amount of incoming spam, AT&T has asked their customers, partners, and business clients to provide them with IP addresses of their mail servers. All other mail will be discarded. To quote the message: "... In order to continue to allow email to AT&T you need to provide the IP addresses of all your outbound email gateways. If you do not respond immediately, your access may not continue.""

28 of 447 comments (clear)

  1. I work for AT&T! by Anonymous Coward · · Score: 4, Interesting

    And it's been blocking email I send to my work account! Now I understand what's going on.

  2. So what's to prevent.. by dr+ttol · · Score: 3, Insightful

    ..the spammers to get AT&T to whitelist their IPs?

    1. Re:So what's to prevent.. by YouHaveSnail · · Score: 4, Insightful

      Well presumably, any gateway that delivers significant amounts of spam to AT&T will be removed from the white list and added to the black one.

      Their whole approach may or may not work, but it's an interesting idea. The PGP "web of trust" concept never really caught on among the general public, but creating a web of trusted mail servers would seem like a simple and effective defense against spam. AT&T's move might be the first step in that direction.

      The next step, of course, would be either a new protocol or an extension to an existing one that would let one mail server ask another "Hey, smtp.xyz.com wants to exchange mail with me, but I've never heard of him. Do you know him? Do you trust him?" If VeriSign really cared about innovating and improving the net, this is the sort of thing they should be working on.

  3. All it takes by lingqi · · Score: 4, Insightful

    is a few span servers to get on the list, and a few legit servers to get hacked and taken off the list (and tries to get on again) before there will be hell and ATT would have to abandon the plan, wasting all these time and resources used to instate this plan in the first place.

    Great shame, really...

    --

    My life in the land of the rising sun.

    1. Re:All it takes by HBI · · Score: 5, Insightful

      The servers will be now identified by customer.

      The incoming spam will then have an owner tied to it, who will be held accountable. It's a very workable system actually and not as prone to failure as you are alluding.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    2. Re:All it takes by lingqi · · Score: 3, Insightful
      The servers will be now identified by customer.

      and if a popular server is identified by many customers? like, say, hotmail?

      and there ARE cases where somebody might want to send email to a person with no prior contact - the "long-lost HS friend" is overused, but take other examples - say I am active on a mailing list and somebody want to ask me something, or if somebody is replying to my advertisement on ebay. there are TONS of problems with a whitelist-only approach.

      --

      My life in the land of the rising sun.

    3. Re:All it takes by l810c · · Score: 4, Funny
      And what the recourse for the Customer? Call or email the ISP to get xxx.com on their whitelist?

      Here's some samples:
      'I just signed up for fatanalhos.com and they emailed me my password. I didn't get the email. Could you please put fatanalhos.com on your Whitelist?'

      'I just ordered some penis enlargement cream, but I didn't get my email conformation. Could you please Whitelist myphatcock.com?'

      'I'm expecting a large sum of money from Nigeria and I can't get my emails...'

    4. Re:All it takes by KindAloysiusX · · Score: 4, Funny

      I don't think this scheme is scalable. What if you and I want to have a conversation? Do we have to exchange mail forever?

    5. Re:All it takes by bobv-pillars-net · · Score: 3, Informative

      dig mx att.com

      then telnet to port 25 for each MX host

      I get no response from any of them.

      Keep trying. According to my logs, about 30% of the time, they DO respond. I don't know if they're overloaded 70% of the time or if their IP-filter breaks 30% of the time, but if you keep trying long enough, you will get through.

      --
      The Web is like Usenet, but
      the elephants are untrained.
  4. I wish they'd turn this around by Webmoth · · Score: 3, Insightful

    I had an "unpublished" landline phone number, and chose a third-party carrier for my long distance service. AT&T called me every week as long as I had that phone line, trying to sell me long distance service, no matter that every time I called, I said "no" and told them to never call again.

    It seems that AT&T thinks that if you don't want to do business with them, then they automatically deserve to be on your whitelist.

    Voice spam is just as bad as email spam. Even worse, since you can't deal with it on YOUR time.

    --
    Give me my freedom, and I'll take care of my own security, thank you.
  5. Huh? by Aurix · · Score: 3, Insightful

    This can't be right... Most businesses have no idea what an IP address is, let alone the IP addresses of people who send them email... It sounds like an utterly stupid plan. What's to stop spammers sending them IP addresses of their mail sending boxes or open relays?

  6. Users don't know what to do with this . . . by actappan · · Score: 5, Insightful

    I'm oversee an it department. While we're lucky enough to have a highly technical user base there are still users that need a little help. And some of them will have to write at&t.

    "Solutions" like this do little to stem the tide of spam, they only shift the burden to others. Now, in order to ensure that my users can send email to the customers and contacts they need at att&t, I have to keep them up to date with our whereabouts on the net?

    Earlier this year we had to deal with a spat of denied messages cause when a number of large organizations blocked our entire address block because they believed it was a DSL block. This was the only reason. Not that spam originated from any of these addresses,

    The only way to stop spam is to stop the spammers. The only way to stop the spammers is to stop those that pay them or otherwise make money trough the spam.

    --
    \Drew National Data Director, John Edwards for President
  7. This is just wrong in so many ways... by Fnkmaster · · Score: 5, Insightful
    So if each big company decides to do this, they will all end up with slightly different lists of whitelisted SMTP servers. The Internet will degenerate into a fragmented, unreliable system where you never know who will receive your email. In fact, you'll be strong armed into using particular ISPs and using email addresses like shithead@att.net in order to get your email through to anybody. The Internet is thereby de-democratized and rolled back 10 years.


    This is really a lose-lose situation and it's disappointing to see this. If there's going to be a concept of trusted mail servers, we need to use a technological solution that allows easy, open, and transferable trusted participation in the network - maybe for once an application where a web-of-trust would actually function. Even the current system with centralized, subscription-based blackhole lists is far better - at least you only have 5-10 different places to go if you end up on somebody's shit list.


    In the dark world of the future you'll have to fight your way through bureaucracy and stupid sysadmins (and yes, the vast majority of sysadmins are fucking idiots, though I know that's not a popular opinion around here) for each and every company, organization or domain you want to send email to. That sounds like an infeasible, unmaintainable system to me.


    Personally, I find the spam filtering on my fastmail (www.fastmail.fm) account to be incredibly reliable and effective, and I've found that if I bounce back every piece of true spam I get, over a few weeks or months, my rate of incoming spam seems to decrease substantially. We can do better, and we will beat the spammers, but we don't need to throw out the baby with the bathwater.

    1. Re:This is just wrong in so many ways... by bigberk · · Score: 4, Insightful
      So if each big company decides to do this, they will all end up with slightly different lists of whitelisted SMTP servers. The Internet will degenerate into a fragmented, unreliable system where you never know who will receive your email. In fact, you'll be strong armed into using particular ISPs and using email addresses like shithead@att.net in order to get your email through to anybody. The Internet is thereby de-democratized and rolled back 10 years.
      Spot on, mod this guy up. He hit the nail on the head.
      I've found that if I bounce back every piece of true spam I get, over a few weeks or months, my rate of incoming spam seems to decrease substantially
      Except for this bit. Never try to bounce spam, it just goes to the wrong destination and further pollutes the Internet.
    2. Re:This is just wrong in so many ways... by Chmarr · · Score: 4, Insightful

      I think you're mistaken. When he says 'bounce spam' he doesn't mean composing a new message and sending it to the 'envelope from'.

      He means ensuring the spam message gets a 550 code, or something similiar, rather than 'accepting' it and trashing it later.

    3. Re:This is just wrong in so many ways... by AKnightCowboy · · Score: 3, Insightful
      In the dark world of the future you'll have to fight your way through bureaucracy and stupid sysadmins (and yes, the vast majority of sysadmins are fucking idiots, though I know that's not a popular opinion around here) for each and every company, organization or domain you want to send email to. That sounds like an infeasible, unmaintainable system to me.

      We're probably all over-reacting a bit since the first time the CEO of AT&T misses an important e-mail message because his ISP blocks the incoming mail, this will go away. I would say by 2pm on Friday at the latest. This is one of those idiotic things to do on the scale of Verisign's Sitefinder "service".

  8. Some much for my mail server by mgarriss · · Score: 5, Insightful

    A week ago I decided that it would be interesting to setup my own mail server, hell, fun even. Interesting yes, fun no. I started with sendmail and ended up with qmail.

    I was so proud of my new server, it was so, well, new. I go to send out a test mail and alas earthlink would not accept it, hmm. Then I sent one to my yahoo account, nope. Hotmail? You guessed it. What's the deal I asked. Googled a bit, found that slashdot discussion (http://yro.slashdot.org/yro/03/04/13/2215207.shtm l?tid=120).

    I started to realize that email is no longer a tool of the little guy. I send my mail through my earthlink server which works but now I must watch my volume (no mailing lists hosted here I'm afraid) because of my 'terms-of-service'. Something about being a little guy or something like that.

    Now the last barrier is up. I wonder if ATT would put me on their list?

  9. RTFA? by fo0bar · · Score: 5, Informative

    FYI, this seems to be from AT&T Business Services, IE backbone and ip operations. So their customers (the people they are asking) in this case are other ISPs, datacenters, etc, and the whitelist is for sending email to AT&T itself. This has nothing to do with other AT&T services (remember, "AT&T" is essentially about a hundred different companies that happen to share the same name), so this should not affect some grandma trying to send to an attbi account. That being said, whether what they're doing is good remains to be seen.

    (Interestingly enough, I *DO* work for a datacenter that has IP and transit services through AT&T, and have not received one of these emails yet...)

  10. Re:Somehow ... by Rick+the+Red · · Score: 4, Funny
    You must be a spammer. That's the ONLY way your SMTP server could get blacklisted. Oh, and your ISP must harbor spammers, too, otherwise there's NO WAY they could be on some blacklist by mistake. OH, NO, the spam vigilanties NEVER make mistakes and blacklist an innocent party. NEVER.

    Really, never. Just ask them.

    --
    If all this should have a reason, we would be the last to know.
  11. Shock and disbelief.... by ComputerSlicer23 · · Score: 3, Interesting
    Uhhh, I do business with people on the AT&T network. At least I'm reasonable sure the 1000's of clients who use e-mail to contact me use it. I wonder what I need to do to get on the list.

    Complete shock and disbelief at the first e-mail (the dreadfully short message at the bottom).

    Has anyone actually called and confirmed with the 1-800 number that this truely is AT&T, and it really is what they are saying? I'm not sure I'll believe it until I see the e-mail actually start bouncing. That's clinically insane. Do they seriously believe they'll be able to pull this off? You mean ever time a small company creates a new mail server they'll have to contact AT&T with the outgoing SMTP servers? If this starts a major trend, you mean I'll have to contact lots of major ISP's to send mail to them?

    Assuming this it to stop SPAM (what else could it be?), what's to stop a spammer from just calling up and saying I'm a legit mailer set me up? What do I do when I get assigned the IP from the old spammer? What will there policy be on setting you back up? Will there be an official form? How can they tell the Spammer just isn't dupping them a second time with a fake business?

    This sounds like a terrible idea, and like their security people haven't really thought this through. About the only thing I like about it, is that it is a sign that major ISP's are starting to play hardball. I'm curious if one of their net admins was behind some of the major black lists that just got DDoS'ed off the net. I hope they accept e-mail from anybody with a legitimate MX record at least. At least for a little while. I can't believe they aren't going to do a black list instead of a white list.

    What's the over-under on how long this takes to get pulled the plug on? There's no way this will last. It'll be a world class disaster. My guess is it won't last 15 business days.

    Kirby

  12. This is not going to work by bigberk · · Score: 3, Interesting

    After a few months of operation, it will become obvious that this plan is a disaster. Spam-friendly ISPs (and there are many with legit customers too) will still get on the whitelist, so incoming spam will not cease. But in the meantime, smaller ISPs around the world will get mighty pissed because their mail is rejected.

    However, if you run your own mail server you will get quite annoyed, but all hope is not lost. Here is a brilliant solution for postfix that will let you deliver mail specifically bound for, say, attglobal.net through your ISP's hopefully whitelisted customer-use mail server instead of direct delivery. So AT&T will see your ISP's mail server connecting for this mail, while all your other mail can be delivered direct.

    I'm mighty disappointed in AT&T. This move further commercializes Internet connectivity by giving big business the green light to send any mail while blocking all the small guys. Seriously.

  13. Hypocritical--ATT is a major Spam Service Provider by dananderson · · Score: 4, Interesting

    I find this very hypocritical. ATT is a major service provider for spammers, mostly through their broadband service. I know because I have my own blacklist and there are hundreds of Class C blocks with ATT. ATT is very lax with enforcing any AUP they may have.

  14. Re:Why not use the MX? by morelife · · Score: 4, Insightful

    Why not use the MX?

    In large mta deployments the mx is hardly ever the sending mta.

  15. SMTP blues by ratfynk · · Score: 4, Insightful
    I know this sounds crazy but the protocols are the problem. As long as there is no way to certify return addressing spam will happen. Solicitation lists just do not work for this very reason. I personally do not reply to or even consider spoofed mail. I never use html links that come in mail even if the reply address is authentic. If the person sending me mail cannot give me their real address they can go suck wind. I just wonder, if e-mail dies what will replace it? Ask Bill he has the answer, fascist style computing. Maybe this is why we have the MS worm, virus, software security problem. What a wonderful way to sell secure computing and make so called 'trusted computing' mandatory. Kill of e-mail as we know it first with Windows style security. Na ..no one could be that underhanded. Brilliant idea though and not that far from happening. Either the guy is really that brilliant or just shit lucky. It sure would cement the future of MS computing.

    The best dual boot problem solver is; dd if=/dev/urandom of=/dev/hda1 ..then cfdisk /dev/hda1 etc..

    :-( too bad I have my wife won't switch yet. I have always wanted to use that command!

    --
    OH THE SHAME I fell off the wagon and use sigs again!
  16. Just because... by sillypixie · · Score: 4, Informative
    you whitelist some servers does not have to mean that you have to blacklist all the others. If AT&T really means to do this, they will learn the hard way when their business suffers.

    There are several initiatives underway to use DNS to authenticate SMTP transactions: this seems like a good way to avoid the nastiness described by the parent poster...

    The article really does sound like this request is an emergency response to a specific threat - The intent seems to me to be more of a temporary bandaid solution than an attempt to alter the very fabric of email as we know it (-:

    Pixie

    --
    don't mess with those geekgrrls
  17. I've got a great IP they can block by Sir+Haxalot · · Score: 3, Funny

    127.0.0.1

    --
    I have over 70 freaks, do you?
  18. RMX and SPF:Sender by RT+Alec · · Score: 4, Interesting

    The biggest problem is ATT will have to administrate this. If a (legitimate) domain switches IP addresses on their outgoing SMTP server (it happens), ATT will have to deal with it by setting up some kind of structure to accomodate such changes.

    Forcing domains to declare from what SMTP host legitimate mail will come from is actualy a good idea. It has been proposed before, in the form of SPF:Sender and RMX. Either would do the job (technical quibbles aside), and would accomodate the end goal ATT is trying to achieve.

  19. Fscking hypocrites... by Eggplant62 · · Score: 3, Interesting

    AT&T three years ago were caught out when a "pink contract" they held with Ronnie Scelson's Cajun Hosting was brought to light by anti-spammers on news.admin.net-abuse.email. Now they're going to do something about the spam hitting their user's inboxes.

    Less spam would hit their user's inboxes if they were to sever all ties with their pet spammers. It's my own hog-fucking opinion that AT&T still has plenty of pink paper over there and are still helping spammers to stay in business. However, money still talks the loudest. Those spam contracts usually bring double or triple the going rate to ignore complaints.