Slashdot Mirror
FTC vs. Open Relays, round 2
mbrain writes "PC World is reporting on a new federal program run by the FTC to close relays and proxies that serve as spam gateways. It's called 'Operation Secure Your Server'. The FTC will publicize this program by... sending tens of thousands of emails." I think it's a continuation of this program.
I have to wonder how many owners they will be able to successfully contact. It has been a long time since I've actually seen a WHOIS record listing a valid email address. Plus, popular registration services like Dotster now offer email masking as a standard part of domain registration.
I think this is mostly due to the trend of spammers attempting to "steal" domain registrations by doing thousands of WHOIS searches and contacting domain owners.
How many roads must a man walk down? 42.
What I'd give to get that list
HOW'S MY POSTING? CALL 1-800-POSTING
People who have open relays (in most instances) are either too stressed or too ignorant to understand what that means, and getting a letter from the FTC won't change that (in most instances.)
The FTC can only suggest that the relays be closed. Until they have some form of enforcement, there is nothing preventing those with open relays from ignoring the emails (assuming this is the rare situation where the above does not apply).
This doesn't take into account that some of those relays may be there on purpose, as in ISPs possibly colluding with, and also possibly profiting from, spam.
libertarianswag.com
Stop SPAM by sending thousands of emails? That's funny.
>Does anything in CAN-SPAM make it unlawful to knowingly aid and abet spammers in the United States?
It's only knowingly when you've been told by the spammer he'll be using your relay for spamming.
I don't think that applies for someone uninvolved warning you that it might be. You aren't aiding and abetting someone stealing your car when you ignore the "keep your car locked" signs at the parking lot, are you? (I really, really, really hope not, anyways.)
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
I remember when I was a kid ... My dad had an operation similar to this ... it was code named.
"Close the damned door, we ain't air conditioning the whole damned neighborhood."
That program was affective, dont see why this one won't be.
They couldn't come up with a better name, I mean isn't the whole point of government projects to confuse people as to what the the intent of the program is while tying in some patriotic theme.
Perhaps I might offer a bit of suggestion.
"Operation Cage the Free Eagle"
See, you got no idea what it really means, but it says Operation and includes "FREE and EAGLE", it must be good.
Ignore the "p2p is theft" trolls, they're just uninformed
Once all/most/many of the relays that they can use without *overtly* breaking the law close up, spammers will simply turn to *overtly* breaking the law, as in creating zombie networks. And as soon as those poorly maintained computers are cleaned up, they will simply use the same virus/worm/exploit to 0wn more poorly maintained computers (These computers will coincedently tend to be crawling with malware already).
Though any such move would doubtlessly be controversial, I suggest writing a "white hat" virus what would:
1) Check if a machine was unpatched/0wned (Probably meaning "it could infect it in the first place")
2) Once loading itself, download and run anti-spyware/-adware/-spamware/-malware applications to clean up the computer
3) Contact and infect other hosts, but NOT at such a rate as to bring down networks.
I omitted suggesting that it download the latest patches, because (as is oft pointed out) one reason many people and organizations DON'T download the latest patches for Windows is that they often break other things.
Although, again, this would be extremely controversial, I am suprised at never having seen it suggested before.
Whether you like it or not, there's nothing that's wrong about having open relays.
Bullshit. If your open relay is used by spammers, it inconveniences hundreds of thousands, or even millions of users. It costs ISPs and businesses money to deal with the spam that's spewing out of your open relay.
If I wish to leave my house door unlocked, it's not the business of the government to tell me I have to lock it. It may be irresponsible, but it's my right.
What a stupid analogy! If you leave your house unlocked, the only person likely to be hurt by it is you when you come home and find your stereo, PC, and TV gone. If you leave an open relay, you potentially hurt many innocent third parties. If you want a better analogy, it's like the government telling you that you can't leave a loaded shotgun on a picnic bench in a public park.
Just the same, I have the right to have an open relay and not close it. They have no right to tell me how to run my server. I accept the consequences of how I run it.
So does that mean that you're going to reimburse me and the other postmasters who have to deal with the spam? Are you going to compensate the users who got spam through your open relay? Are you willing to accept legal responsibility for the porn ads sent through your system to e-mail addresses of children? If not, in what way are you accepting the consequences?
Great, so your mail client deletes your crap mail. Meanwhile, your sysadmin has to keep beefing up the mail server(s) to handle the growing load.
Filtering at the client side just covers up the problem. You think you're helping, but you're actually just pulling the wool over your eyes.
I'm sure you're happy, but don't call it a solution. It doesn't scale.
Friends don't help friends install M$ junk.
As a sysadmin at an ISP, this is good news for me. Getting customers to close their open relays has always been a hassle. "We really need you to take care of this; its against our terms of service" is often followed by "Well, maybe we'll just find another ISP."
"We expect you to take care of this; you're operating in violation of Federal Trade Commission policy" has a much nicer ring to it. One less likely to generate argument.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Actually, if I got a letter from the FTC I might well look into what it said. But if I got an email supposedly from the FTC, I would likely just ignore it without even opening it (after forwarding a copy to uce@ftc.gov).
I'm an American. I love this country and the freedoms that we used to have.
What boggles my mind is how hostile people get towards end users of fairly complicated Mail hosting programs. Personally, I've had to deal with the people at ordb.org, and let me tell you, they're a bunch of jackasses about the whole thing. If you had a chance to read their old FAQ (they've since changed it), you could tell that whoever wrote it was getting off on forcing people to change their server settings as he saw fit. So, while I'm getting barked at by customers who's "e-mail won't work," I've got to sit through childish comments about how I suck as an admin. The whole thing really pissed me off.
I understand that many of you uber-users expect that every admin should know all the ins and outs of every server/program, but I'm afraid that's just not possible sometimes. Our Wireless ISP consisted of 3 technically-capable people. Between setting up people's connections, repairing relay sites (using both proprietary and OTS equipment), setting up servers, setting up routing, technical support, providing network content shaping, hosting/designing websites, setting up policy enforcement, documenting it all, securing the network, AND providing e-mail to boot, there's just not enough time to do everything and get it right the first time. BESIDES, what's so wrong about expecting things to work when you do a regular install?
Since when has default == basically broke?
-Grym
The Internet's greatest strength is also its greatest weakness. At a technical level, everything with an IP address is a peer to all other devices with IP addresses... no special license is needed to make somebody a server. When it comes to e-mail, the same SMTP protocol that your favorite e-mail program uses to reach your outgoing mail server is the same SMTP that server is going to use to relay the message to the next server. You don't need anything special if you want to set up a mail server for your organization... but that also means nothing prevents a virus-infected PC from being an e-mail relay that starts spewing Spam on behalf of the virus writer.
Any "secure" system needs a "root of trust", someone or something that is a trustworthy party from which all other relationships can be traced back to. Most things on the Internet don't have a central authority, and that's by design to prevent censorship. However, e-mail is one thing that we want censorship for... we want abusers of the system thrown out.
However, to reliably kick out abusers, there needs to be a central authority. In short, there needs to be some sort of approval body for e-mail servers to prove that they're trustworthy operators, so that any e-mail that passes through them is sure to not be spam, with reprocussions for the server operators who do let spam through their system. In short, a closed system, where membership for servers is by approval, and therefore those who operate e-mail services have to enforce limits on their customers.
Unfortunately, that's so incompatable with the e-mail system we have today... any dreams of creating a No-Spam-Allowed e-mail system can go sit between IPv6 and the Devorak keyboard design in the pile of ideas that look good on the drawing board but will never be put into widespread use.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
The Nachi worm and Code Green were attempts to fix Blaster and Code Red. They caused more damage than they fixed - especially Nachi which is still flooding everyone with ICMP echo requests. I am also surprised that you have never seen it suggested before - hint use Google
Closing open relays is a great first step and I hope this program has some effect.
If spammers are driven to using trojaned home computers to send their junk then there will be much more pressure bought to bear on ISPs to do port 25 egress filtering which will stop the trojans dead in their tracks
There'll be more than enough hosts compromised somewhere, instead try to fix the damn system with proper certificates, "soft" blocking like hashcash or similar, easy feedback of SPAM, easy whitelisting of mailing lists etc.
Hell, I just recently discovered that my RHL9 box has been somehow compromised. Don't ask me how, but those sendmail spam zombie processes weren't mine. And on this Win2k PC I run anti-virus, firewall, the works. Still, a few things slips through the cracks, at least for a time.
But see how, my Linux box if routed shouldn't get a domain. It would be @[IP] @???.bb.online.no (dns of that IP) or @[spammer-provided domain], not @aol.com. And even if I wanted to run a mailserver here on a residential DSL - it's reasonable to limit my delivery speed by hashcash or some such measure.
If I wanted to do mass mailings (opt-in, the good kind, they exist, remember?) there should be a whitelisting system. Some kind of cryptographic token or similar, as proof of the opt-in. But noone seem to be doing anything like that.
Damage control is the way to go. Running around chasing the latest compromising trojan and whatever is futile, at least to cure the problem, not just the symptoms.
Kjella
Live today, because you never know what tomorrow brings