Slashdot Mirror
FTC vs. Open Relays, round 2
mbrain writes "PC World is reporting on a new federal program run by the FTC to close relays and proxies that serve as spam gateways. It's called 'Operation Secure Your Server'. The FTC will publicize this program by... sending tens of thousands of emails." I think it's a continuation of this program.
Stop SPAM by sending thousands of emails? That's funny.
Not everyone, of course -- I agree that some relays are open on purpose, and some people will disregard any official notice short of a search warrant delivered by a squad of riot cops. But I think this can't hurt.
>Does anything in CAN-SPAM make it unlawful to knowingly aid and abet spammers in the United States?
It's only knowingly when you've been told by the spammer he'll be using your relay for spamming.
I don't think that applies for someone uninvolved warning you that it might be. You aren't aiding and abetting someone stealing your car when you ignore the "keep your car locked" signs at the parking lot, are you? (I really, really, really hope not, anyways.)
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Because there's so many viruses, worms and scams that spoof other email addresses, including the scam that claimed to be about the Patriot Act, recipients might think it's a virus, a worm or a scam. I still think fake relays would be a good spam deterent vs trying to close all the open relays.
If the people who leave open servers open are on the hook to be sued, they will wise up very quickly.
Fight Spammers!
Whether you like it or not, there's nothing that's wrong about having open relays.
Bullshit. If your open relay is used by spammers, it inconveniences hundreds of thousands, or even millions of users. It costs ISPs and businesses money to deal with the spam that's spewing out of your open relay.
If I wish to leave my house door unlocked, it's not the business of the government to tell me I have to lock it. It may be irresponsible, but it's my right.
What a stupid analogy! If you leave your house unlocked, the only person likely to be hurt by it is you when you come home and find your stereo, PC, and TV gone. If you leave an open relay, you potentially hurt many innocent third parties. If you want a better analogy, it's like the government telling you that you can't leave a loaded shotgun on a picnic bench in a public park.
Just the same, I have the right to have an open relay and not close it. They have no right to tell me how to run my server. I accept the consequences of how I run it.
So does that mean that you're going to reimburse me and the other postmasters who have to deal with the spam? Are you going to compensate the users who got spam through your open relay? Are you willing to accept legal responsibility for the porn ads sent through your system to e-mail addresses of children? If not, in what way are you accepting the consequences?
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
Great, so your mail client deletes your crap mail. Meanwhile, your sysadmin has to keep beefing up the mail server(s) to handle the growing load.
Filtering at the client side just covers up the problem. You think you're helping, but you're actually just pulling the wool over your eyes.
I'm sure you're happy, but don't call it a solution. It doesn't scale.
That might be a good idea in *most* cases, but unfortunately, I don't think that a virus could both be small enough not to clog a network and complex enough to discriminate between valid/spam SMTP traffic with acceptable reliability (Which businesses often define as 100%).
That high-pitched buzz you hear is an unmanned attack drone flying over to blow your server room to a pile of rubble.
(It scares me that that scenario isn't completely implausible.)
I'm not sure this is a great idea. On one hand, I really want open relays shut down so that people stop blantently misusing them. On the other, I know some companies I've done work with, use open relays completely legitimately, and I don't believe that the open relays are the big problem anymore. I think that most spam comes from
A) Over-seas servers in countries that have abudant bandwidth and few laws governing their usage (ie India)
B) Hijacked machines here in the good ol' US of A that have become spam relays via viruses.
Until we get people to stop buying crap from spam, there will be no way to stop the spammers. Thats all there is to it, no matter how the government tries to stop it.
Actually, if I got a letter from the FTC I might well look into what it said. But if I got an email supposedly from the FTC, I would likely just ignore it without even opening it (after forwarding a copy to uce@ftc.gov).
I'm an American. I love this country and the freedoms that we used to have.
What boggles my mind is how hostile people get towards end users of fairly complicated Mail hosting programs. Personally, I've had to deal with the people at ordb.org, and let me tell you, they're a bunch of jackasses about the whole thing. If you had a chance to read their old FAQ (they've since changed it), you could tell that whoever wrote it was getting off on forcing people to change their server settings as he saw fit. So, while I'm getting barked at by customers who's "e-mail won't work," I've got to sit through childish comments about how I suck as an admin. The whole thing really pissed me off.
I understand that many of you uber-users expect that every admin should know all the ins and outs of every server/program, but I'm afraid that's just not possible sometimes. Our Wireless ISP consisted of 3 technically-capable people. Between setting up people's connections, repairing relay sites (using both proprietary and OTS equipment), setting up servers, setting up routing, technical support, providing network content shaping, hosting/designing websites, setting up policy enforcement, documenting it all, securing the network, AND providing e-mail to boot, there's just not enough time to do everything and get it right the first time. BESIDES, what's so wrong about expecting things to work when you do a regular install?
Since when has default == basically broke?
-Grym
I omitted suggesting that it download the latest patches, because (as is oft pointed out) one reason many people and organizations DON'T download the latest patches for Windows is that they often break other things.
Cleaning up the computer and closing off exposed services is just as likely to break things as downloading the latest patches is. And it doesn't teach the admin anything. The best solution for fixing the problem involves the admin learning about security.
Leave the machine alone, and hope the admin will eventually be inconvenienced by the spammers and DDoS clients using his machine enough to learn how to properly secure it. In the mean time hundreds or thousands of responsible admins are also inconvenienced by being spammed and/or DDoSed.
Or trash the machine; don't just make it unbootable, completely wipe it clean. If it comes back and is still vulnerable, do it again until the sysadmin gets sick of restoring backups and properly secures it. The advantage of this approach is that it takes vulnerable machines off the network, thus inconveniencing only the person responsible for and in a position to remedy the problem.
455fe10422ca29c4933f95052b792ab2
In short, there's nothing but practical issues keeping you from doing this right now. If you can overcome those issues, more power to you. If you want to keep me from running a mail server with well configured free software, go away.
Friends don't help friends install M$ junk.
Why not postmaster@[offending IP ADDRESS] (or a nslookup of that IP address) or simular role accounts.
Because lots of smaller domains do not use that address, myself included. Ironically, we were getting lots of spam to that address, and since I would only check it once a week or so, didn't like filtering through 2000+ emails.
Also, the registars do have their contact information. I doubt if most registars would not honor a FTC "request" (if they know what's good for them).
Doesn't work that way. Not only are many domains registered under false info, but you can't bully registrars, especially since the majority of them are NOT in the US. The feds have no authority to bully a registrar in Brazil, for example.
ISPs would stand in line to give up contact information for Open Relays on their network, as they are a network problem.
There also exists the idea that you don't just give up contact info for a client if you are an ISP, if they are not doing anything illegal AND there is no warrant. This is not cool.
It appears to me that the feds have the right idea, although I don't think its going to work on most open relays. Its a good effort to judge the response. But they only have authority in the US, not the world.
Bullying ISPs and domain owners is NOT the answer. Most don't know they have open relays, so its a matter of information, education, and getting them to quit using insecure OSs, which will include most older versions of both Windows AND Linux. (RH 6.x back had open relays standard).
It would be nice if we could have some kind of international standards that all countries would agree to, and eventually we will. But not soon.
Tequila: It's not just for breakfast anymore!