Slashdot Mirror
FTC vs. Open Relays, round 2
mbrain writes "PC World is reporting on a new federal program run by the FTC to close relays and proxies that serve as spam gateways. It's called 'Operation Secure Your Server'. The FTC will publicize this program by... sending tens of thousands of emails." I think it's a continuation of this program.
I have to wonder how many owners they will be able to successfully contact. It has been a long time since I've actually seen a WHOIS record listing a valid email address. Plus, popular registration services like Dotster now offer email masking as a standard part of domain registration.
I think this is mostly due to the trend of spammers attempting to "steal" domain registrations by doing thousands of WHOIS searches and contacting domain owners.
How many roads must a man walk down? 42.
What I'd give to get that list
HOW'S MY POSTING? CALL 1-800-POSTING
People who have open relays (in most instances) are either too stressed or too ignorant to understand what that means, and getting a letter from the FTC won't change that (in most instances.)
The FTC can only suggest that the relays be closed. Until they have some form of enforcement, there is nothing preventing those with open relays from ignoring the emails (assuming this is the rare situation where the above does not apply).
This doesn't take into account that some of those relays may be there on purpose, as in ISPs possibly colluding with, and also possibly profiting from, spam.
libertarianswag.com
Should the U.S. government be "handling" it at all?
Stop SPAM by sending thousands of emails? That's funny.
If they send the mail to the address of an open mail server, they will be sending most of them to the hackers that have taken over the machines, won't they?
>Does anything in CAN-SPAM make it unlawful to knowingly aid and abet spammers in the United States?
It's only knowingly when you've been told by the spammer he'll be using your relay for spamming.
I don't think that applies for someone uninvolved warning you that it might be. You aren't aiding and abetting someone stealing your car when you ignore the "keep your car locked" signs at the parking lot, are you? (I really, really, really hope not, anyways.)
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Because there's so many viruses, worms and scams that spoof other email addresses, including the scam that claimed to be about the Patriot Act, recipients might think it's a virus, a worm or a scam. I still think fake relays would be a good spam deterent vs trying to close all the open relays.
If the people who leave open servers open are on the hook to be sued, they will wise up very quickly.
Fight Spammers!
I remember when I was a kid ... My dad had an operation similar to this ... it was code named.
"Close the damned door, we ain't air conditioning the whole damned neighborhood."
That program was affective, dont see why this one won't be.
They couldn't come up with a better name, I mean isn't the whole point of government projects to confuse people as to what the the intent of the program is while tying in some patriotic theme.
Perhaps I might offer a bit of suggestion.
"Operation Cage the Free Eagle"
See, you got no idea what it really means, but it says Operation and includes "FREE and EAGLE", it must be good.
Ignore the "p2p is theft" trolls, they're just uninformed
Once all/most/many of the relays that they can use without *overtly* breaking the law close up, spammers will simply turn to *overtly* breaking the law, as in creating zombie networks. And as soon as those poorly maintained computers are cleaned up, they will simply use the same virus/worm/exploit to 0wn more poorly maintained computers (These computers will coincedently tend to be crawling with malware already).
Though any such move would doubtlessly be controversial, I suggest writing a "white hat" virus what would:
1) Check if a machine was unpatched/0wned (Probably meaning "it could infect it in the first place")
2) Once loading itself, download and run anti-spyware/-adware/-spamware/-malware applications to clean up the computer
3) Contact and infect other hosts, but NOT at such a rate as to bring down networks.
I omitted suggesting that it download the latest patches, because (as is oft pointed out) one reason many people and organizations DON'T download the latest patches for Windows is that they often break other things.
Although, again, this would be extremely controversial, I am suprised at never having seen it suggested before.
Whether you like it or not, there's nothing that's wrong about having open relays.
Bullshit. If your open relay is used by spammers, it inconveniences hundreds of thousands, or even millions of users. It costs ISPs and businesses money to deal with the spam that's spewing out of your open relay.
If I wish to leave my house door unlocked, it's not the business of the government to tell me I have to lock it. It may be irresponsible, but it's my right.
What a stupid analogy! If you leave your house unlocked, the only person likely to be hurt by it is you when you come home and find your stereo, PC, and TV gone. If you leave an open relay, you potentially hurt many innocent third parties. If you want a better analogy, it's like the government telling you that you can't leave a loaded shotgun on a picnic bench in a public park.
Just the same, I have the right to have an open relay and not close it. They have no right to tell me how to run my server. I accept the consequences of how I run it.
So does that mean that you're going to reimburse me and the other postmasters who have to deal with the spam? Are you going to compensate the users who got spam through your open relay? Are you willing to accept legal responsibility for the porn ads sent through your system to e-mail addresses of children? If not, in what way are you accepting the consequences?
Great, so your mail client deletes your crap mail. Meanwhile, your sysadmin has to keep beefing up the mail server(s) to handle the growing load.
Filtering at the client side just covers up the problem. You think you're helping, but you're actually just pulling the wool over your eyes.
I'm sure you're happy, but don't call it a solution. It doesn't scale.
Friends don't help friends install M$ junk.
As a sysadmin at an ISP, this is good news for me. Getting customers to close their open relays has always been a hassle. "We really need you to take care of this; its against our terms of service" is often followed by "Well, maybe we'll just find another ISP."
"We expect you to take care of this; you're operating in violation of Federal Trade Commission policy" has a much nicer ring to it. One less likely to generate argument.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
file a freedom of information act request.
I'm an American. I love this country and the freedoms that we used to have.
I'm wondering. Was there talk about changing the SMTP protocol a while back? I know it would a major overhaul, something along the lines of revamping IPv4 to IPv6 (well, not that major..)
This flys right around there with 'taxing every email' which would be an interesting debate indeed.
I've noticed that a bunch of mail servers out there are now doing creative mail filtering, making sure that the mx record corresponds to the actual relay that the mail is coming through. But not everyone has smtp auth over pop..
For instance, my new favourite is AOLmail.. almost any external mail to any aol servers, now takes up to several hours to actually get through their systems. I'm not sure if this is a creative filtering process, or that their servers are just so bogged down?
hrm?
------------
Sase
"It's the opposite of that."
I'm not sure this is a great idea. On one hand, I really want open relays shut down so that people stop blantently misusing them. On the other, I know some companies I've done work with, use open relays completely legitimately, and I don't believe that the open relays are the big problem anymore. I think that most spam comes from
A) Over-seas servers in countries that have abudant bandwidth and few laws governing their usage (ie India)
B) Hijacked machines here in the good ol' US of A that have become spam relays via viruses.
Until we get people to stop buying crap from spam, there will be no way to stop the spammers. Thats all there is to it, no matter how the government tries to stop it.
Actually, if I got a letter from the FTC I might well look into what it said. But if I got an email supposedly from the FTC, I would likely just ignore it without even opening it (after forwarding a copy to uce@ftc.gov).
I'm an American. I love this country and the freedoms that we used to have.
What boggles my mind is how hostile people get towards end users of fairly complicated Mail hosting programs. Personally, I've had to deal with the people at ordb.org, and let me tell you, they're a bunch of jackasses about the whole thing. If you had a chance to read their old FAQ (they've since changed it), you could tell that whoever wrote it was getting off on forcing people to change their server settings as he saw fit. So, while I'm getting barked at by customers who's "e-mail won't work," I've got to sit through childish comments about how I suck as an admin. The whole thing really pissed me off.
I understand that many of you uber-users expect that every admin should know all the ins and outs of every server/program, but I'm afraid that's just not possible sometimes. Our Wireless ISP consisted of 3 technically-capable people. Between setting up people's connections, repairing relay sites (using both proprietary and OTS equipment), setting up servers, setting up routing, technical support, providing network content shaping, hosting/designing websites, setting up policy enforcement, documenting it all, securing the network, AND providing e-mail to boot, there's just not enough time to do everything and get it right the first time. BESIDES, what's so wrong about expecting things to work when you do a regular install?
Since when has default == basically broke?
-Grym
The Internet's greatest strength is also its greatest weakness. At a technical level, everything with an IP address is a peer to all other devices with IP addresses... no special license is needed to make somebody a server. When it comes to e-mail, the same SMTP protocol that your favorite e-mail program uses to reach your outgoing mail server is the same SMTP that server is going to use to relay the message to the next server. You don't need anything special if you want to set up a mail server for your organization... but that also means nothing prevents a virus-infected PC from being an e-mail relay that starts spewing Spam on behalf of the virus writer.
Any "secure" system needs a "root of trust", someone or something that is a trustworthy party from which all other relationships can be traced back to. Most things on the Internet don't have a central authority, and that's by design to prevent censorship. However, e-mail is one thing that we want censorship for... we want abusers of the system thrown out.
However, to reliably kick out abusers, there needs to be a central authority. In short, there needs to be some sort of approval body for e-mail servers to prove that they're trustworthy operators, so that any e-mail that passes through them is sure to not be spam, with reprocussions for the server operators who do let spam through their system. In short, a closed system, where membership for servers is by approval, and therefore those who operate e-mail services have to enforce limits on their customers.
Unfortunately, that's so incompatable with the e-mail system we have today... any dreams of creating a No-Spam-Allowed e-mail system can go sit between IPv6 and the Devorak keyboard design in the pile of ideas that look good on the drawing board but will never be put into widespread use.
the one that when you apply the security update, it turns your server into an open relay?
IIRC, even if you went to the trouble to ensure that it was *not* an open relay, the patch would change the settings and, voila, open relay.
In the free world the media isn't government run; the government is media run.
Since when has default == basically broke?
I dunno. When was Microsoft incorperated?
I noticed the conspicuous absence of China in their list of countries participating.
There are several projects out there that are detecting and blocking open relays (quite effective... I have used this and similar blocklists on my mail server). FTC wouldn't be doing anything groundbreaking, except more formally contacting the owners. Not that mail server admins don't notice when millions of sites start bouncing their mail because they're listed on such places as ordb and dsbl! After all, that is part of the effect of blocklists... puts pressure on people who run improper mail servers.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
The Nachi worm and Code Green were attempts to fix Blaster and Code Red. They caused more damage than they fixed - especially Nachi which is still flooding everyone with ICMP echo requests. I am also surprised that you have never seen it suggested before - hint use Google
Closing open relays is a great first step and I hope this program has some effect.
If spammers are driven to using trojaned home computers to send their junk then there will be much more pressure bought to bear on ISPs to do port 25 egress filtering which will stop the trojans dead in their tracks
in the days when they didn't carry guns.
Stop, or I'll yell, "Stop" again!
I am very sympathetic to the complaints of harming innocent third parties, and indeed I used to be very supportive of anti-spam efforts. But these days I find that the anti-spammers are doing just as much harm to innocent parties as the spammers themselves. Real time blacklists are some of the worst offenders, since many of them (e.g. SPEWS) actively promote collateral damage as a mechanism for encouraging change.
I don't see how open relay blacklists like orbs or SPEWS can say with a straight face that they care about innocent third party damage from open relays. I consider the damage inflicted by one lost legitimate mail to be far worse than the damage inflicted by one unwanted spam mail.
In short, there's nothing but practical issues keeping you from doing this right now. If you can overcome those issues, more power to you. If you want to keep me from running a mail server with well configured free software, go away.
Friends don't help friends install M$ junk.
This sentence is a lie.
Sometimes you really do have to fight to achieve peace.
Never. Surrender is always an option, even if it means suicide. It might not be a good option, but it's there.
Fucking for virginity is an oxymoron because fucking will never achieve virginity
Nonsense, your parents fuck and about 9 months later you are born a virgin. fucking -> virginity.
Open relays, while enabling spamming, aren't the real problem. The real problem is the total unwillingness of the FTC to crack down on email based crime. Almost all spam is pretty much openly fraudulent -- either the products don't work, you don't get a product, or you're not supposed to get the product in the first place.
Why hasn't the government initiated a crackdown on the crime WITHIN the spam? Why is their such a willingness to accept that but be mad that someone is spamming about it? I sometimes wonder if most Americans (and I'm one as well) don't have some kind of built-in huckster or a total absence of ethics that they don't have a problem with the fact people are committing fraud.
If the government would bother following the money trail over some spam transactions, they'd not only get a much better idea what's "behind" spam (my theory is a fairly small number of people are responsible for a lot of it), as well as catch the same people comitting the same fraud, over and over, which becomes a possible RICO prosecution -- lots of jail time for anyone even tangentally involved. Which might actually do more to end spam by getting rid of its clients than some lame relay closing enterprise -- haven't they moved a lot of their operations to zombies and cracked proxies anyway?
There'll be more than enough hosts compromised somewhere, instead try to fix the damn system with proper certificates, "soft" blocking like hashcash or similar, easy feedback of SPAM, easy whitelisting of mailing lists etc.
Hell, I just recently discovered that my RHL9 box has been somehow compromised. Don't ask me how, but those sendmail spam zombie processes weren't mine. And on this Win2k PC I run anti-virus, firewall, the works. Still, a few things slips through the cracks, at least for a time.
But see how, my Linux box if routed shouldn't get a domain. It would be @[IP] @???.bb.online.no (dns of that IP) or @[spammer-provided domain], not @aol.com. And even if I wanted to run a mailserver here on a residential DSL - it's reasonable to limit my delivery speed by hashcash or some such measure.
If I wanted to do mass mailings (opt-in, the good kind, they exist, remember?) there should be a whitelisting system. Some kind of cryptographic token or similar, as proof of the opt-in. But noone seem to be doing anything like that.
Damage control is the way to go. Running around chasing the latest compromising trojan and whatever is futile, at least to cure the problem, not just the symptoms.
Kjella
Live today, because you never know what tomorrow brings