Major ISPs Publish Anti-Spam Best Practices

wayne writes "The ASTA, an alliance of major ISPs, has just published a set of best practices to help fight spam. The list of ISPs include the likes of AOL, Yahoo, MSN/Hotmail, Earthlink and Comcast. The recommendations include such things as limiting port 25 use, rate limiting email, closing redirectors and open relays, and detecting zombies. For details, see the ASTA Statement of Intent (pdf) or any of the ISP's antispam websites."

Don't forget SPF

Several large ISPs are backing SPF. I even noticed my ISP, Verizon, who tend to be quite lazy and stupid when it comes to spam (and other things), have added an SPF record.

Re:Don't forget SPF

[forevermore]

Enabling SPF is only half of the battle. It isn't until online web services start understanding that they need to use reply-to instead of just putting a user's address in the from field that SPF will really work. I've had to disable my server's SPF checking because some services I use (like my bank - ingdirect.com) like to send things like referrals "from" me, rather than "from" themselves with a reply-to to me.

Re:Don't forget SPF

[Smallpond]

SPF should be checking envelope MAIL FROM, not From: header. If your bank is forging the envelope, then you should block them, since their software is borken.

Re:Don't forget SPF

[thedillybar]

SPF breaks forwarding. It's a good idea, but won't be used widespread because of it. I think DomainKeys is more promising.

Re:Don't forget SPF

AOL has stated they'll be using SPF by August (if not sooner)

Re:Don't forget SPF

[EaterOfDog]

"borken?" That is an oddly appropriate misspelling, I like it!

Re:Don't forget SPF

Dude, thanks! I was heading to the pool and I almost did forget my SPF! Good lookin' out.

Re:Don't forget SPF

It breaks the CURRENT method of forwarding, but it doesn't mean there isn't a replacement. If people want to have some idea of who is sending them email, then this needs to be done.

Re:Don't forget SPF

[Dimensio]

I even noticed my ISP, Verizon, who tend to be quite lazy and stupid when it comes to spam (and other things), have added an SPF record.

I wouldn't call Verizon "lazy and stupid" when it comes to spammers on their network. I would call them "criminally negligent".

They had a spammer's website on their network for over a month. The spammer was selling a product that was blatantly illegal (digital cable descrambler). The only possible way that their product could have been legal was if it did not function as advertised, and then they would have been committing advertising fraud, so either way they were breaking the law and Verizon was allowing it to happen on their network. After a MONTH of daily complaints about the site, it only disappeared AFTER I setup a webpage documenting Verizon's open support of criminal activity and started advertising it in my .signature file.

No legal threats were ever issued to me. I guess that Verizon knew that I had truth on my side.

Re:Don't forget SPF

[Xformer]

There is a way around that, though, and a rather easy one to implement depending on the mail server involved. Patches for sender address rewriting are still being developed for different MTAs, but that plus the lag of getting ISPs involved are the two major reasons why SPF isn't in full force yet.

Besides, the article does reference SPF, though indirectly. That and M$'s Caller-ID are the only things that I know of that realistically authenticate by IP address, and they've just recently merged.

Re:Don't forget SPF

[forevermore]

If your bank is forging the envelope, then you should block them, since their software is borken.

Yeah, I messed up on the header/envelope thing. Either way, there are a LOT of websites out there that do this thing, not just ingdirect (and I make money off of referring friends, so I'm not going to just block them). The issue isn't that the servers are specifically choosing to forge the envelope FROM, but that most web apps don't care -- eg. you use php's mail() function to send mail, it picks the "From:" out of the headers and sends that info to sendmail for use as the envelope FROM. Regardless, this practice is "broken" because it breaks SPF, but not "broken" by SMTP standards -- the message WAS initiated by me (eg. I clicked the "refer a friend" button), it just doesn't originate from my server, and is "from" someone else, even if all replies should be directed to me.

Re:Don't forget SPF

[senatorpjt]

Blocking mail from your bank is generally not the wisest thing you can do.

Re:Don't forget SPF

maybe it should be b0rken?

Re:Don't forget SPF

[squiggleslash]

You know, blocking all email that contains a Subject: line would also only break CURRENT methods of sending and receiving email.

I think it's a tad silly to say "Well, it's ok if it breaks everything, because we can always change everything."

Re:Don't forget SPF

It doesn't break everything. It breaks one thing and for a very specific reason.

Re:Don't forget SPF

[Marillion]

It breaks "Bouncing" but not "Forwarding"

Bouncing is resending an e-mail, to a new recipient. Forwarding is sending a NEW email from the fowarder that includes the original message either as an attachment or embedded in the new message.

With forwarding the forwarder is just sending a new message as themselves to someone else. The SPF would ignore the attched message and focus on the forwarder's message.

Re:Don't forget SPF

Wait, you're saying they deliberately broke mailing lists, or did you badly word the above?

Assuming your wording was intentional, what was the very specific reason for breaking mailing lists?

Re:Don't forget SPF

[Xformer]

What broken mailing list software are you using? To repeat what's already been said, only the envelope sender address is checked by SPF, not the one in the message headers. Most mailing lists that I've seen wouldn't be affected.

Re:Don't forget SPF

I'm not using any mailing list software. The great grandparent claimed that SPF was designed to deliberately break mailing list software. I asked him why.

Re:Don't forget SPF

[squiggleslash]

That would imply that the ".forward" file, that was certainly around 14 years ago when I had my first taste of Unix, was incorrectly named.

Indeed, bouncing generally means sending an email back to its sender, usually with an error. I've noticed this "new" definition, your's, recently on one mail client I used (I forget which) and think it's pretty stupid. Why redefine words like this? It's not even a sane redefinition.

Re:Don't forget SPF

[0x0d0a]

SPF has severe problems and is fairly easy for a spammer to break.

Re:Don't forget SPF

[warrax_666]

Your "counterexample" is a straw man.

There is no way to implement verification of senders without breaking forwarding when using legacy MTAs. So my response would to you would be:

I think it's a tad silly to say "Well, we can't ever make a better system for e-mail because we must stay 100% compatible with an old, broken standard".

(Translation: Sometimes we must break things to move forward, technologically speaking)

Re:Don't forget SPF

Mailing list software? We were discussing forwarding. And it breaks forwarding because the old style of forward kept the sender address while forward. To SPF this looks like another host spoofing your address as the sender.

Re:Don't forget SPF

SPF has severe problems and is fairly easy for a spammer to break.

Sshh! After running around yelling -

What about SPF?
Have you looked at SPF?
Brother, have you heard the good news about SPF?
SPF will save us, SPF will save us!

every fucking time spam is brought up here. I want the SPF nazis to lock everything down with SPF, only to have spam not subside one iota. Then they will no doubt turn around and do a Bush administration thing:

We never claimed there was a link between SPF and stopping spam, it was the damn media that did it!

and

I may have some information about a reduction in spam caused by SPF that the general public does not know about...

spammers/terrorists SPF/TIA Its like all the discussions are completely interchangable:

SPF/BigBrother Advocate: Locking everything down will stop spammers/terrorists. What do you have to hide, hhmmm?

Freedom Lover: Locking everything down will take away our freedom and the spammers/terrorists will still run amok.

SPF/BigBrother Advocate: Tinfoil hat wearer, everything will be fine TIA/RIAA/MPAA/SPF/MS/Yahoo/DoD/NSA/CIA/FBI/Verisig n/Diebold all have our best interests at heart, really, they said so and I believe them.

Freedom Lover: Um, OK, I am pretty we're fucked, but it will be too late to say "I told you so", kinda like global warming/climate change thing.

Re:Don't forget SPF

[macdaddy]

eBay "Message from eBay Member" messages do this. IIRC Paypal does too. I'm sure I've seen others but I can't remember them off the top of my head. That's always been something that annoyed me. I get a lot of spam that forges my address as the sender so when I flush it from my trap I get the DSN. Grrr...

Re:Don't forget SPF

[squiggleslash]

There is no way to implement verification of senders without breaking forwarding when using legacy MTAs.

By legacy MTAs, you mean every existing MTA on the planet. Because you actually meant to type "current" but your fingers slipped, right?

And my answer to that comment, whether you use "legacy" or "current", is this: then don't. It's pointless, it's idiotic, verification of senders is not going to do anything about spam.

I think it's a tad silly to say "Well, we can't ever make a better system for e-mail because we must stay 100% compatible with an old, broken standard".

It's current, not "old", and it's not broken.

Translation: Sometimes we must break things to move forward, technologically speaking

Indeed we do. How is verifying the validity of an envelope From line a move forward? Is this such a move forward that it justifies breaking what it breaks?

I don't want to sound pessimistic

[TheOtherAgentM]

...but the people that would really read these things are the one that know how to avoid most spam already, aren't they? I doubt my parents would even stumble across any of these resources in their daily submitting of their email addresses to every form they can find.

Re:I don't want to sound pessimistic

[Zardus]

The guidelines are for ISPs to follow, not grandparents.

Re:I don't want to sound pessimistic

[pavon]

Seeing as how these are guides for system administrators, I don't see how your parents need to know any of this. Besides it isn't a knowledge problem that this solves, but a business problem.

This is a loose agreement by ISP's about what they need to do on thier part to confront spam. These things would improve the situation, but ISP's are reluctant to implement them out of fear that the user will become angry with the tightened security problem and go to another ISP. And I am not talking about spammers, I am talking about everyday users who don't like to be told to patch thier systems or get off the internet.

So what this guidelines does is provide a unified front - a lowest common denominator policy that all the ISPs are willing to implement. It will improve the situation somewhat, but will not be too noticable by the user, and to the extent that it is they can't leave and go somewhere else because all the major ISP's will be doing it.

Re:I don't want to sound pessimistic

[Suidae]

From the second paragrap of the FA:

The proposal provides recommended actions and policies for Internet
service providers (ISPs) and e-mail service providers (ESPs) as well as large
senders of e-mail including governments, private corporations and online
marketing organizations.

This isn't even intended for people like your parents.

Re:I don't want to sound pessimistic

[Vihai]

It's only me who find pretty contradictory to read on a paper publushed by Yahoo (among others) to "Close redirectors that can be abused" when rds.yahoo.com is the most abused redirector EVER?

Re:I don't want to sound pessimistic

[LurkerXXX]

I dont' want to sound pessimistic...

but, people who need to read the articles to see what they say and who their intended targets are before they post, never actually read the freaking articles.

Do you?

Best practices,... published?

[Bill,+Shooter+of+Bul]

Spammers are like a retrovirus. The will adapt to any system you construct. Creating a list of what every major isp will do to combat them will only serve to accelerate their evolution and make them more effective spammers.

Re:Best practices,... published?

[AviLazar]

And just like all crime, all we can do is fight back. We either find the weakness ourselves and fix it, or we find out that a criminal (spammer) found a weakness and we fix it. To sit and do nothing would be really bad (imagine windows XP with all the flaws dating back to windows 3.1) :)

Re:Best practices,... published?

[Samael_666]

Security through obscurity is not the way to go if you ask me ...

Re:Best practices,... published?

[WormholeFiend]

one example of bad spammer behavior I've seen, which is totally new from the usual types is spammers sending email pretending to be my ISP, complete with legit-looking special offers from said ISP...

but with a suspicious attachment or a spurious "click here if you don't want to receive such notices anymore".

I shudder to think how many people will fall for those evil tricks.

Re:Best practices,... published?

[jkabbe]

One major reason that spammers are using zombies is that ISPs cracked down on spammers and closed a lot of open relays. Are you suggesting these weren't good ideas? Just because a spammer may find another way to spam doesn't mean we shouldn't shut down the known methods of spamming if we know how.

Re:Best practices,... published?

[surreal-maitland]

just like we should not publish our source code because then hackers will find exploits, right?

Re:Best practices,... published?

[Have+Blue]

Spam does not have to be made impossible to be eliminated; we just have to reduce response rates to the point where it's no longer profitable and wait for professional spammers to die off.

Re:Best practices,... published?

Sorry but the biologist in me can't stay silent...

On a biological level, anything alive and capable of mutating in a selective environment will adapt to any system you construct. Including but not specific to retroviruses. There is nothing special about retroviruses for this kind of system, only that they have a higher mutation rate and mutation hotspots in the proteins that the human body recognizes. People are familiar with them because they are very well adapted to not being recognized and cause disease.

And does knowing that the spammers will mutate and change mean you should stop trying? Why bother with antibiotics, the bacteria are going to evolve to become resistant to them anyway.

There will never be elimination of spam, only an arms race.

Re:Best practices,... published?

[deadmongrel]

Spammers are like a retrovirus. The will adapt to any system you construct. Creating a list of what every major isp will do to combat them will only serve to accelerate their evolution and make them more effective spammers.
Spammers always try to be one step ahead of the game. Just by keeping the best practices a *secret* wound't help to combat spam. Its the business model that needs to be attacked. Money is made somewhere and that is where we have to attack. Having said that, I think its important we keep these fighting techniques open. A lot of people would benefit from it. Also, just like security, obscurity would be of no help.

Re:Best practices,... published?

Yes. There's one going around now titled best practices to help fight spam Delete that one right away.

But be sure to verify your Paypal information, that one's legit.

Re:Best practices,... published?

[LehiNephi]

Attacking the source of the money--that, I believe, is the only way to kill spam.

That's why I run Unsolicited Commando. It fills the inboxes of companies that pay for spam with spurious form fill-outs. I guess it's kind of like giving them a taste of their own medicine.

Re:Best practices,... published?

OK, but having closed relays is better than having open relays. Maybe spammers will resort to looking for free E-mail accounts instead, but it makes them traceable instead. An earlier article was posted on slashdot about the activities of Mr Spammer. Apparently, half the list of 4,000,000 Emails were mis-spelled or invalid. And a good percentage of relays listed were closed or inaccessible.

We shouldn't make things any easier for them.
And if free E-mail ISP's place a time throttle on messages with multiple E-mail addresses on free E-mail address accounts, that's even better.

Not forgetting the disconnection of zombie machines.

Even if the spammers then move to a foreign, we'll block that IP address until the ISP cancels their account or the spammer gives up.

Re:Best practices,... published?

They will adapt to any system you construct.

In theory, yes. In practice, given enough time, yes. But it usually takes quite a bit of time and it makes anti-spam filters better. How? Well, generally speaking, spammers have a standard set of tricks that they stick to. When a lot of people stop giving them the ability to use those tricks, they just try harder to find suckers that will.

For instance, formmail.pl is a traditionally vulnerable spamming hole. When it was fixed (and when NMS became popular), a hell of a lot of spamming opportunities were made unavailable. But spammers still try and find vulnerable versions, as there are always a few lurking out there.

If we reduce the suckers significantly, spammers not only go to more effort to find them, but the set of suckers they have to operate with are smaller (hence, easier to track down and blacklist).

When the number of suckers drops below a certain point, it's true that spammers do have to invent new tricks. But that is hard and expensive (at least compared with a spammers usual workload). It may also be illegal, making it much easier to crack down on spammers. For instance, now that open relays are almost non-existent, spammers have been forced to pay programmers to write viruses/worms/etc for hosts to send through.

Re:Best practices,... published?

[deadmongrel]

That's why I run Unsolicited Commando [astrobastards.net]. It fills the inboxes of companies that pay for spam with spurious form fill-outs. I guess it's kind of like giving them a taste of their own medicine.

Unfortunately, I don't agree with this way. I don't want to start a flame war or anything but just my thoughts. Yes! I said attack the very foundation that supports spammers, which should be achieved not by doing the same thing that spammers are doing to us. Money and paper are traceable so can be fought with legislation, while defending ourselves against spam messages using technology.

As I said earlier, its just my thought.

Re:Best practices,... published?

[Hatta]

Spammers are like a retrovirus. The will adapt to any system you construct.

A retrovirus is just a virus that goes RNA->DNA. Since it usually goes DNA->RNA, they call it retro. It has nothing to do with adaptability.

Re:Best practices,... published?

[MissTuxie]

one example of bad spammer behavior I've seen

Have you ever seen any GOOD spammer behavior?

Re:Best practices,... published?

[WormholeFiend]

Have you ever seen any GOOD spammer behavior?

As a matter of fact, yes.

Some of them retire.

Or die.

Re:Best practices,... published?

I a Democrat. I don't fight back against crime. I scream "Police Brutality."
Criminals are just misunderstood, represend individuals that you should spend tax money on to help build their self-esteem. Plus, you should tolerate and celebrate the diversity the criminals bring to our multi-cultural world.

Re:Best practices,... published?

[WormholeFiend]

why dont ISPs just block internet access to the zombie PCs they detect, for violation of the terms of use?

when the user calls up customer service, they can then follow the instructions on how to clear the malware.

Re:Best practices,... published?

[jkabbe]

Comcast has indicated they will be doing just that. Other ISPs are beginning to shut down port 25 for everyone. As many times as I have disagreed with Comcast in the past, I like their plan of action this time.

Re:Best practices,... published?

imagine windows XP with all the flaws dating back to windows 3.1

It doesnt require to much imagining.

Re:Best practices,... published?

Comcast has admitted they're a major spam house and their plan for fixing it amounts to a steaming pile. They've just made the announcement so they can claim to be making changes if someone makes an accusation in print.

Re:Best practices,... published?

we just have to reduce response rates to the point where it's no longer profitable

This assumes that professional spammers make money based on their response rate, which is naieve at best.

Professional spammers don't care what the response rate is, because professional spammers make their money by duping people into believing that spam works. Plainly put, they are con-men.

Spammers make their money by selling the business of spam to morons who aren't smart enough realize that it doesn't work. The main argument is "if it didn't work, then why is there so much spam?" People who lack critical thinking skills will miss the answer, which is "because people think it works."

When a spammer convinces someone to buy their 'services', they've made their money even if the response rate is exactly zero.

Re:Best practices,... published?

[Pig+Hogger]

Spam does not have to be made impossible to be eliminated; we just have to reduce response rates to the point where it's no longer profitable and wait for professional spammers to die off.

A good way to do so is to apply the internet death penalty to all networks that not only house spammers, but also let their clients to connect spambotworm-compromised machines.

When their clients find out that they are basically on an intranet, they can either move elsewhere or bitch loudly enough so they boot the spammers and the spambots.

We're in a war, and we're reaching the point of total war where nothing but the total unconditionnal obliteration of the spammers will do.

Re:Best practices,... published?

[firewood]

Attacking the source of the money--that, I believe, is the only way to kill spam.

Attacking only the source of the money won't help. There are too many stupid people, and more born every minute, as well as some malicious people who don't care about the money.

Attacking the cost/benefit ratio is the best solution. It cost you time and money to handle spam. If you, or your provider, start charging for any email which is allowed into your network to cover that cost, and most people do likewise, the cost/benefit ratio will eventually start working against spammers. Free email will be left to researchers and police tip lines (etc.)

Re:Best practices,... published?

A good way to do so is to apply the internet death penalty to all networks that not only house spammers, but also let their clients to connect spambotworm-compromised machines.

We're calling it:

SPEWS#

Actually, I think SpamHaus does this (end user spambot blacklists) already.

Balance

[it0]

I hope they find the right balance between just providing the internet and locking it down so it can't harm the average consumer.

What about my personal mail server?

[tstoneman]

I am thinking about setting up my own personal mail server for my small business.

Is there a guideline that can help me figure out what steps I need to take to harden my mail server?

I will be using either Postfix or Microsoft Exchange.

Re:What about my personal mail server?

[forevermore]

Unless you need the groupware functionality of Exchange, go with postfix or courier. Then install Spamassassin and Rules du Jour to keep your spamassassin rules up to date, and a good serverside antivirus program like Clam. Also, configure some blackhole servers (I use dnsbl.sorbs.net, list.dsbl.org, dnsbl.njabl.org and relays.ordb.org).

And then be prepared to continue filtering out spam (although with my setup, of the 100+ daily messages that would get into my inbox without filtering, I now get about 10, all marked as spam, with the rest getting blocked by the rbl lists and some custom rules).

Re:What about my personal mail server?

[Short+Circuit]

I'd also be concerned about their allowing you to send and receive email without going through their smarthost.

Re:What about my personal mail server?

[thedillybar]

>Is there a guideline that can help me figure out what steps I need to take to harden my mail server?
Basically don't relay mail for any user who you don't know (either by IP address or by SMTP authentication). Relaying is accepting mail for another domain and passing it on. If the server is the MX server for your domain, you must accept mail addressed to that domain regardless of whether or not you know the sending party.

>I will be using either Postfix or Microsoft Exchange.
I use sendmail, and I know that the "default" prevents unauthorized relaying. The latest version of Postfix or Exchange will almost certainly do the same. After you make any configuration changes, just verify that an outside machine can't send mail to another domain.

Whichever SMTP software you run, I'd recommend joining some comp.mail.* newsgroups.

Re:What about my personal mail server?

To harden your mail server, heat it to 1000 degrees, then quench it in oil. This is guaranteed to block all spam.

Re:What about my personal mail server?

Heat the spammer to 1000 degrees, then quench it in oil. This is guaranteed to block all future spam from this rat.

Re:What about my personal mail server?

I set up postfix last year, and using their guidelines ( www.postfix.org ) and the ordb blocking lists ( www.ordb.org ) and open relay checking, I have been able to keep a secure and virtually spam free server.

I have added the following to the main.cf file, which keeps it fairly secure.

smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_client_restrictions = permit_mynetworks,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client relays.ordb.org,
reject_rbl_client bl.spamcop.net

smtpd_helo_restrictions = permit_mynetworks,
reject_invalid_hostname

smtpd_sender_restrictions = permit_mynetworks

smtpd_data_restrictions = reject_unauth_pipelining

Re:What about my personal mail server?

This is what I do on my mail server:

• Any company or mailing list that I supply an email address to gets a unique address. For example, Slashdot thinks my email address is "[initials]-slashdot@mydomain". Only people I really want to hear from get my real email address. The other addresses forward to mine, and can be disabled at any time. This is a real pain, but it is also effective.
• My email address is memorable and based on my name, but is not easily guessed. If I used "[firstname]@", it would more likely get spam.
• I block all mail from servers blacklisted by Spamcop. [I have tried other RBL's, but I have had most luck with SpamCop.]
• I block all executable attachments, and ".zip" files. [I'm not sure blocking .zip files is a great idea, but it helps keep the virus attempts out.]

My personal email account (not counting the alias addresses) has gotten spam, but not in several weeks. Not bad, considering I've had my email address for five years now!

Re:What about my personal mail server?

[LuxFX]

I am thinking about setting up my own personal mail server for my small business

I'm planning on doing the same thing. When I was hunting for information I found this link, it has plenty of resource information. Maybe it will help you too.

Re:What about my personal mail server?

[Walrus99]

Use Postfix enabler to set up Postfix on Mac OS 10.3
http://www.cutedgesystems.com/weblog/Tutorials/Pos tfixEnabler.html
Easy to set up and admisister. GUI, don't need to use command line.

Re:What about my personal mail server?

[Not_Wiggins]

I have my own mailserver running postfix.

One thing I can't recommend highly enough: address extensions.

You can turn them on in postfix easily. Then, it'll map anything that follows after the extension to your user mailbox. For instance, let's say you have stone@man.com

With address extensions, you could have (without changing a config file) stone+getlost@man.com, stone+slashdot@man.com, etc. Anything after the "extension" is dropped for delivery purposes, so all that mail would go into the "stone" user mailbox.

And if you start getting spam at, say, stone+spam_me_please@man.com, creation of clever forward file: .forward+spam_me_please

in your home directory with a single line:

"|exit 67"

will start bouncing all mails to that address as user not found. ;)

Of course, it can be done more elegantly with the new Postfix content filtering (ie, bounce it *before* you fully accept the mail), but that's the stuff of advanced users (ie, you need to set some real time aside to do it properly).

Outside of mitigating your spam, if you use unique addresses at all locations, you can also figure out where the spammer picked it up! Nothing like having a finger to point at a real leak! ;)

Spamassassin (with Bayesian filtering) is rocking sweet, too!

Re:What about my personal mail server?

[danmart]

argosoft makes a good mail server that is easy to configure and easy to secure.

Re:What about my personal mail server?

[senatorpjt]

I doubt this would be very effective. I'm sure that spammers are probably all familiar with this trick by now, and just s/+.*@//g their spam list. I have postfix set up with an alternate domain, where everything goes to my primary email address.

So, the email address I give to slashdot would be slashdot@whatever.com, etc. It all gets forwarded to another email address, and my email client has a rule that moves all email to the alternate domain to a separate mailbox.

Re:What about my personal mail server?

[Pig+Hogger]

First rule: don't use Microsoft Exchange.

Last rule: don't use Microsoft Exchange.

Re:What about my personal mail server?

[Not_Wiggins]

How is that any different except you have to update your aliases file (or whatever config) anytime you wish to create a new ID?

As least I can just log onto amazon and create me+amazon@myrealdomain.com without a thought.

Or, are you saying that mail to whomever1@whatever.com, whomever2@whatever.com will always forward on you you@myrealdomain.com?

It essentially is the same problem as having your "real" (final) e-mail address out there for the world to see... maybe worse, if you have it setup as a "catch-all." Filtered into a separate mailbox, you're still getting all the spam.

But, I think you'll agree, the solution isn't really in either of our setups... it is in nailing the spamming bastards to the walls. That would require better authentication/validation of sender identity and location. At least if we could trace the mail back to a real person, things would change in more of a hurry.

BTW, have you thought about implementing grey-listing in your postfix config? (Just in case you're not familiar: it associates a triplet with incoming mail... the sender, the receiver, and the originating IP). First time it sees a triplet, it logs it and rejects it with a 450 (temporary) error. Most spammers never bother with retries, so it can effectively bounce messages out. Real mail programs will retry... and on the second (and future) attempts, it'll just go through. Sure, it delays the mail a little, but it weeds out a *lot* of spam. 8)

Re:What about my personal mail server?

[warrax_666]

I'm sure that spammers are probably all familiar with this trick by now, and just s/+.*@//g their spam list. I have postfix set up with an alternate domain, where everything goes to my primary email address.

Simple solutions:

1. Make sure your primary email address contains at least 1 instance of the separating character. Most mail servers handle that situation correctly, but it defeats the simple "strip-everything-after-$CHAR" tactic.
   
2. Don't accept mail to the "primary email adress", only accept mail to particular extensions. If you think about it, the "primary email adress" functions as a sort of catch-all address for your little "virtual" subdomain, so eliminating it is exactly the same as having a full domain at your disposal and just creating specific aliases that work (as opposed to just accepting anything sent to any address at the domain).
   

Re:What about my personal mail server?

[thevoman]

At work we use Linux sendmail as our mail gateway and have it virus/spam filter it before it arrives into the Exchange mail server. (and mail that is sent from the Exchange server is relayed through the Linux server on it's way out) It works extremely well. We can keep all the groupware features offered by the Outlook/Exchange combination in for our Windows-using employees while keeping the Exchange server away from public. There are also some e-mail spam filtering/virus filtering hardware appliances that are worth a look. SpamAssassin is indeed extremely cool, and so is ClamAV (make sure you keep both up to date) Bottom line, just keep Exchange away from the WAN.

Re:What about my personal mail server?

[phildog]

>I use sendmail, and I know that the "default" prevents unauthorized relaying. The latest version of Postfix or Exchange will almost certainly do the same.

Be careful of the default setting for relaying in Postfix. The default is to trust other machines on the local subnet, and as I was using a co-lo facility, I was used as a spam relay by one of the boxes on my subnet. This was not a pleasant experience.

The applicable one-liner change to Postfix's main.cf that ended this:
mynetworks_style = host

Don't let me scare you, Postfix is fabulous. Just read the docs through a few times.

Re:What about my personal mail server?

[WoodstockJeff]

Make sure your email server knows a message can be delivered before accepting it. Many "enterprise capable" mail servers don't (or can't) check to see if an email address is valid until AFTER they accept it... and then generate a bounce message when they can't figure out what to do with it.

This is one form of an open relay... If I want to spam bob@anywhere.com, and know that bigcompany.net runs Exchange Server, I spoof a message FROM bob@anywhere.com, containing my spam message, and send it TO some randomly-selected address at bigcompany.net, such as notavalidemailaddress@bigcompany.net.

If your server knows all the valid addresses it handles messages for, it can reject the message during the initial handshaking - issue a 550 No Such User message after being told who the target is. If it doesn't know, well... It can't do anything but accept mail targeted for your domain, and hand it off to the delivery agent.

limit port 25

[markan18]

As long as i still can run my own smtp server.
They can limit outbound port 25 because i still can forward my email through their official smtp server. If they limit inbound port 25, it will suck big time.

Re:limit port 25

[hackstraw]

Most ISPs don't block ports to prevent their users from doing something they don't want to do. Why? Because its trivial to move any given service to another port.

Moderators, think before you mod.

Re:limit port 25

[squiggleslash]

It's not possible to move incoming SMTP to a different port. When someone wants to send you email they will expect port 25 to be open and accessable for your domain on the hosts your MX records point at (or failing that, the host your A record points at.)

Ironically, the only "useful" SMTP service you can move to another port is an SMTP relay, on the grounds that some email clients allow you to say which port the smarthost is on...

Note to people thinking of replying to the above to say I'm wrong. Please read it again. We're not talking about smarthosts in the first paragraph, and running your own smarthost is pretty pointless for the most part anyway. We're talking about a situation where you're running an SMTP server to *receive* email for "mydomain.blah". You *must* receive it via SMTP on port 25 if you want it accessable by standard email MTAs.

Re:limit port 25

[TastyWords]

No, most ISPs don't block 25 because they don't want to deal with the time & effort necessary to educate all of their users strapped to Outhouse and Outhouse Express to switch to a different port.

There's been a lengthy discussion on SPAM-L about this.
My suggestion has been to create a virus which would do it. Turn it loose on Friday, then on Monday all should be switched over.

Re:limit port 25

[Plazzma]

Yes, lots of ISPs block port 25 because many people set up there own mail servers at home and leave them open for relaying. It is fairly easy to secure a mail server like Postfix. I know my ISP blocks port 25 and the best solution I think is to try a mail reflector, No-IP has a pretty good one. You make your mail server run on port 9925 and No-IP or whatever service will reflect mail to that port on your machines.

Re:limit port 25

[markan18]

I know about no-ip mail reflector, i already use no-ip as a dns provider for my dynamic ip. The problem with their mail reflector is the cost. It not very expensive but pay for something on the internet is cumbersome when you don't own a credit card and dangerous if you do own one. I also have to pay for the CAN$ -> US$ exchange rate which is getting better but still not 1:1.

Also, i dont want the cost of running my own mail server to increase because some dumbasses cannot secure their servers. I'm glad windows is now secure , no more buffer overflows, no more email viruses with outlook 2003 and no more worms that spreads with the help of open ports.

Am i too optimistic?

Re:limit port 25

What if hardware firewall vendors targeting the residential market (LinkSys, NetGear, et. al.) had a default rule set with port 25 disabled? While it wouldn't eliminate SPAM from compromised systems, it would reduce it. Besides, it wouldn't be that difficult for those needing port 25 enabled to reconfigure it.

I must be missing something as it seems too easy. I will concede that it may drive up tech support calls for the vendors.

Re:limit port 25

[FireFury03]

TFA says clearly that blocking port 25 is a problem for those of us who run our own SMTP servers (and no I won't be forwarding through my ISP's smarthost - it's pointless, adds another point of failure and like I trust an ISP to make services work right :). The article also says that ISPs must accommodate these people by allowing people to unblock port 25 if they have a legit use for it. IMHO the document is very well written - when I downloaded it I was expecting to see a "block everything except web" type overreaction and was pleasantly supprised.

Take what they say with a grain of salt

[Raul654]

How many of those ISPs were caught in pink contracts?

Re:Take what they say with a grain of salt

[kevin_conaway]

Exactly...how many? Care to back this up?

Re:Take what they say with a grain of salt

Better yet, how many of those ISPs slaughtered millions of Jews?

This is a fun game.

Re:Take what they say with a grain of salt

[swb]

You have to presume that it's far more common than anyone would suspect, and I think not only are the spammers/ISPs linked this way, but the sleazeballs behind the spam likely have similar arrangements with banks and credit card processors.

Which is why we need a RICO investigation of spamming. As long as it's treated by law enforcement as merely unpopular, the otherwise legitimate providers of services necessary for spam (ISPs, banks) will just take extra money -- over OR under the table -- to provide them those services.

A few high-profile prosecutions of the entire "spam team" (the spam mail sender, the spamvertized business owner, and all the "legit" business people that enabled them) could scare legit businesses to the point where they won't get involved with spammers for a price that spammers can afford to pay.

If you push the costs spammers have to pay high enough, it won't be profitable and no one will do it.

Re:Take what they say with a grain of salt

[Desert+Raven]

You have to presume that it's far more common than anyone would suspect

Actually, pink contracts aren't even necessary for spammers anymore. With major providers like MCI/UUNet, who will only kick off spammers if they spam from their space, and the wide availability of compromised systems to use as relays, spammers can have completely bulletproof hosting from the largest backbone provider without negotiating special contracts.

Re:Take what they say with a grain of salt

Well, IBM did their part in slaughtering Jews, and they used to run ISPs (Prodigy and ibm.net).

Re:Take what they say with a grain of salt

Just google for bulletproof hosting and you will find lots of scumbags like these.

Re:Take what they say with a grain of salt

[bedessen]

Good point. Conspicuously lacking in their list of things ISPs should do is "Provide ample staffing for your abuse desk, give them adequate power to shut down abusers, and respond quickly to abuse reports."

If every ISP had an Afterburner-esque person in charge of the abuse desk, then the amount of spam-support sites, trojaned zombies, and general malfeasance would go way down. To all you ISPs who redirect abuse@ mail to /dev/null: wake the hell up and start becoming part of the solution.

No specific technology proposals

[Marxist+Hacker+42]

And I'm undecided as to whether that is good or bad. Sure, there have been a few new exciting tools out there- but as soon as they become common knowledge the spammers start working on circumventing them. So maybe it's best that this didn't mention any specific tools- just broad categories like virus checkers and firewalls.

Re:No specific technology proposals

[Talking+Toaster]

And sometimes the methods used to circumvent anti-spam tools is used to detect spam.

For instance, spamassasin detecting random words in an email is a sign of spam.

"All around the mulberry bush, The monkey chased the weasel."

I like the idea about identifying zombies. And yes, some people have legitamite reasons to be sending out lots of emails. But if there is a sudden change in activity, it does make sense for the ISP to call up the customer and ask "What's Up."

Whatever...

[Bif+Powell]

...let's just all do something before the government really starts to regulate things. I'm stupid about such things, so out of curiosity why hasn't the w3c or the people who write the RFCs come up with some new SMTP spec?...please...

Re:Whatever...

[IamGarageGuy+2]

That would be the way to go... but unfortunately life doesn'r work that way. SMTP is so entrenched everywhere that writing a new spec is like making a new internet. In theory, it's easy, in reality everybody would bitch that their email doesn't work.

Re:Whatever...

[carrus85]

True, however it is not unfeasable. SMTP, while great, has it's inherent flaws (VERY insecure, addresses are easily spoofed, etc.). If an RFC was drawn up to handle email in a bit more secure way (aka. Making it so it is impossible to spoof an address (well, make the email address spoofable, but not the ip address traking that is kept in the mime headers).

This is one reason I'm looking forward to IPv6. IPv6 incorperates so many more addresses into the mix that it can be technically feasible to track ip addresses with email. True, the size of the email will grow substantially, but is it a risk we are willing to take? Look at it this way, if we had enough IPv6 addresses to basically assign every network interface in the world to its own, unique address that was unalterable, we could track any email and it's origins.

I agree, it is infeasable to change the speck for SMTP-IPv4. But, when SMTP-IPv6 comes out, the opportunity to re-invent some of this (as well as many other) protocols is presented.

Re:Whatever...

[firewood]

SMTP is so entrenched everywhere that writing a new spec is like making a new internet. In theory, it's easy, in reality everybody would bitch that their email doesn't work.

New net protocols have always displaced old protocols without requiring a new internet. Like Gopher (et.al.), SMTP will soon fade away because it already doesn't work. At the current rate-of-increase of spam, allowing current SMTP email onto your network will soon become (if not has become already) the same as paying a gangster to DDoS your network.

press release on yahoo gives more info

[brian+ferullo]

Summary of ASTA Recommendations

Blocking outbound port 25

[Bronster]

Makes me really glad that I push all my email backwards and forwards through an openvpn connection to my mail server now. As long as my ISP doesn't block UDP port *mumble* I'll be fine.

My wife was not so lucky. She was unable to send email a few weeks ago when our cable modem provider instituted outbound port 25 blocking. Luckily it's really easy to set postfix up to listen for smtp on another port as well - one quick config change and she was back in business. I'm planning to install openvpn for Windows on her box one of these days.

Re:Blocking outbound port 25

[warpSpeed]

Makes me really glad that I push all my email backwards and forwards through an openvpn connection to my mail server now.

Openvpn rocks! I have started to use it for clients that I relay mail for, and back their systems up remotly. It works with Win32-Linux,Windows-Win32, Linix-Linux.

I run open VPN on my laptop and tunnel back to the mothership for access to all my local services at home too.

I have converted a few people using remote laptops over to it for various applications and it is pretty solid.

To stay on topic here, openvpn is a great tool to overcome the limitations of using many mail servers out there.

Force customers to fix compromised boxes

[Florian+Weimer]

That's the only thing that will work on the long run. Everything else just reaches those who are already somewhat aware of the problem.

Unfortunately, calling the customer and walking him through disinfection/reinstall costs too much money, so only very, very few ISPs do it at all.

Re:Force customers to fix compromised boxes

[tsg]

Unfortunately, calling the customer and walking him through disinfection/reinstall costs too much money, so only very, very few ISPs do it at all.

It's not really the ISP's job to fix their computer. It's a little like calling the phone company because your answering machine is broken.

Re:Force customers to fix compromised boxes

[Dimensio]

I agree, but at the very least the ISP should cut connectivity. Allowing compromised boxes on the network allows criminals to use the network to facilitate acts of theft and fraud.

This is like calling the phone company to report that someone's phone box has been compromised and is being used to make anonymous obscene phone calls. Yes, it might be the user's property that is broken, but that property is still being used to abuse the phone system.

Re:Force customers to fix compromised boxes

[WormholeFiend]

but then the same kind of clueless user that allows his/her box to fester with viruses will switch to another ISP which wont cut the service off... because the clueless user might not understand the root cause of being cut off.

Re:Force customers to fix compromised boxes

[tsg]

I agree, but at the very least the ISP should cut connectivity. Allowing compromised boxes on the network allows criminals to use the network to facilitate acts of theft and fraud.

Absolutely. But that should be the extent of what they are expected to do unless they have specifically sold computer tech support as part of their contract.

Re:Force customers to fix compromised boxes

[tsg]

but then the same kind of clueless user that allows his/her box to fester with viruses will switch to another ISP which wont cut the service off...

Hopefully most ISP's will do the same thing and the user will find it harder and harder to get internet service. Even if they do, it's still better than leaving the box connected continuously.

because the clueless user might not understand the root cause of being cut off.

Even the most clueless users understand that viruses are bad (it's usually the first thing they blame when something on their system breaks). They may not know how they get them or how to keep from getting them, but they know what they are. Even if they don't, after the third ISP kicks them off for having them they might think to ask someone.

Re:Force customers to fix compromised boxes

[Dimensio]

but then the same kind of clueless user that allows his/her box to fester with viruses will switch to another ISP which wont cut the service off...

And that ISP will quickly discover that no one wants their packets.

because the clueless user might not understand the root cause of being cut off.

That's why you explain it to the clueless user, as one would a child. If they still don't understand, have a contract clause that allows the ISP to confiscate the customer's computer and burn it.

Re:Force customers to fix compromised boxes

[Florian+Weimer]

It's not really the ISP's job to fix their computer [the customer's].

They make money by providing connectivity. Almost in the same way, you could argue that companies are not responsible for pollution.

It's a little like calling the phone company because your answering machine is broken.

Your answering machine isn't fooling with SS#7 and telephone switches. Compromised home systems are known to wreak havoc in many ways, some of them very nasty.

Re:Force customers to fix compromised boxes

[tsg]

They make money by providing connectivity.

The ISP should be expected to cut the connectivity of the zombied computer. But cleaning it up is not their responsibility.

Your answering machine isn't fooling with SS#7 and telephone switches. Compromised home systems are known to wreak havoc in many ways, some of them very nasty.

Well, to extend the analogy, if your modem is calling up people at 2am, the phone company is not expected to fix your modem, but is expected to turn off your phone if you won't fix it.

Guideline

[XanC]

Don't use Exchange!

How about "no more delayed bounces"

I'd be very happy if everyone could get their act together and reject undeliverable addresses during the SMTP transaction. Delayed bounces are responsible for most of the backscatter which pollutes my mailboxes and logs these days.

Qmail, I'm looking at you. People who don't run something like LDAP on their secondary MXs, I'm looking at you.

I'm almost to the point of blocking the null sender from certain hosts, just because they are nothing but crap. I know all about the RFC (and rfc-ignorant.org), but they're causing a serious problem for the rest of the world.

The worst part is for people who run control panels like Plesk. They have to run qmail (no choice in the matter), and so they either become a delayed bounce source, or they enable the catchall and get to suck down all that mail. They can't win.

Re:How about "no more delayed bounces"

That's easy to do with qmail; I've been doing it for years.

Hack in a goodrctptto file; just like badrcptto and list all your users in the file.

You even get to come up with a fun 5.x.x error message.

Re:How about "no more delayed bounces"

[Tripster]

There are patches for qmail that will fix this, the server will check for the user at the SMTP stage and refuse if user doesn't exist.

Re:How about "no more delayed bounces"

[ElForesto]

Because I'm using qmail-scanner to check messages for broken headers, viruses and spam content, my mail server HAS to accept the message first. It would be nice if qmail-scanner would check to see if the recipient is valid first as I get a lot of enveloped addressed to users on my domain that don't even exist.

Heck, if I knew how to write Perl, I'd help them make something to do that.

Re:How about "no more delayed bounces"

[CritterNYC]

I'd be very happy if everyone could get their act together and reject undeliverable addresses during the SMTP transaction. Delayed bounces are responsible for most of the backscatter which pollutes my mailboxes and logs these days.

Don't forget that any cheesy-ass server that's configured to bounce after-the-fact can easily by used by anyone to perform a distributed mailbomb on any email address they like. Just send to a slew of non-existant addresses on a few of the above-mentioned servers.

Re:How about "no more delayed bounces"

What good is my backup MX if it is dependant (through LDAP) on the primary MX? And how am I supposed to implement this concept on systems that I don't directly control -- i.e. where I have a mutual backup MX agreement with someone, for the sake of an off-site MX?

It's a good idea, but I don't see how it's possible without defeating the purpose of a backup MX.

Re:How about "no more delayed bounces"

[bedessen]

"my mail server HAS to accept the message first" -- not true at all

If you used exim/exiscan/spamassassin/clamav you could do all that scanning at delivery time and reject the message after the DATA phase with a 5xx code. My mailserver rejects spam and malware at the SMTP transaction time. I know there are similar schemes for other MTAs.

Re:How about "no more delayed bounces"

[bedessen]

That's because backup MXs are an anachronism of a time when sites weren't always connected to the net. If your primary MX goes down all legitimate senders will queue the message and keep trying for quite some time. There's no need for a redundant 3rd party MX on the modern internet. If you want extra assurance then run dual MXes on-site so if one must go down the other will handle the load. But the whole "external" MX idea is just outdated.

When Will Congress Step Up To Bat?"

[adeas]

I know that Congress has done a lot of stupid things to restrict or otherwise put restrictions on all things tech (*cough* DMCA *cough*), but I think that if there were criminal penalties for spamming, then there would be at least a degree less of it. My logic isn't so much that fear of the law will scare people off (There are still 6 million users of P2P networks, regardless of the RIAAs attempts to shut them down or scare them with law and lawsuits), but that here there is a wider economic reason. Sure with music and movie piracy, the lables, artists, and retailers miss out on a bit of money, but it's limited to that market. Spam affects us all - businesses, government, schools - there's a more compelling reason to do something about it. I would also wager that a larg enumber of the spam in the world comes from a limited number of sources (Though, I doubt all are American). Take out the big senders, and it cuts down the numbers - sorta like the drugs war (Take out producers and it will cut down the number of dealers and addicts), but hopefully with better success.

They are still not serious

[phunster]

These are of course the companies who have shown themselves to be the least cluefull in the past. If they were serious about establishing best practices, they would have included in the list things like having a cluefull helpdesk that does more than send a canned response to complaints. All help desk employees working on spam issues should be required to know how to read email headers. Part of best practices would include a requirement to shut down web sites that benefit from spam or phising. Nope, sadly these guys are not yet serious, and its obvious.

oh this is good

The worst companies out there for blocking legitimate mail are telling US about best practices to block spam? niiiiiiiiice, I think I'll get to work on their suggestions sometime around February 31st.

don't put exchange as the first stop

[vg30e]

Most of exchange problems occur when you have an exchange server being the SMTP gateway. IF I were you, find a product to be the SMTP gateway that doesn't use anything made by Microsoft. There are also serious problems using the IIS SMTP service to talk to exchange. So, in short, get another kind of SMTP gateway to run the SMTP service, and then run Exchange behind it forwarding all mail to your non-microsoft gateway.

ISP's need to act

[nagora]

If someone has an open relay box because of some Trojan horse program surely their ISP are in the best place to notice the traffic patterns in and out of their port 25. Cut them off and when they call to complain tell them to sort their machine out or find another ISP.

But, of course, that might cost the ISP's money. So instead we get a "best practice" document which preaches to the converted and achieves nothing.

TWW

Re:ISP's need to act

[pe1chl]

Lately, at work we have been plagued at work by a deluge of virus mail and bounce-mail, plus a heap of german racist spam, and bounces of that.
Probably most of the world has this problem.

I have tried to complain about virus-infected systems at ISP abuse desks, but apart from 2 or 3 exceptions most ISPs either to nothing after sending a standard "we are processing your complaint but cannot guarantee a personal reply" auto-reply message, or worse we get something like this:

However, we would like to point out that neither [ISP] nor her partners are responsible for the behaviour by subscribers to the [ISP] Internet Service on the internet.

Now I wonder, is that really true? Is an ISP "not responsible for the behaviour of its subscribers" when, at the same time, this ISP is not timely handling abuse reports, and is not disclosing contact information of their clients indexed by IP address??
They can declare themselves "not responsible" but I wonder what the legal situation is.

I would think that they can avoid their responsibility only when they allow the victims of their customer's activities to take action themselves. That would mean they need to provide whois-like information about the fixed IP addresses of their customers.
As it is now, a cable or ADSL account is a semi-anonymous hiding place for virus-infected Windows systems that send SPAM and viruses all day long, and nobody except law enforcements agencies is able to contact the unknowingly guilty party.
The latter are of course not interested in taking up individual cases.

ISPs should either be held "responsible for their customer's activities", or publish enough information to allow others to take action against them.

Re:ISP's need to act

[a24061]

I think we need to make some careful distinctions about holding ISPs responsible for their customers' activities. Do we want them to have to censor web content, monitor P2P traffic, etc.?

I would say that they should be responsible only for customers' activites that "push" unwanted data to unwilling parties: sending spam and death threats but possibly nothing else. ISPs should not be held responsible for what their customers' allow others to "pull" (web pages, P2P, etc.).

Re:Horse Balls

[mr_z_beeblebrox]

4 years and I haven't gotten a single spam on my work account. No filters, and I use it dozens of times a day.

Honestly, you expect ANYONE to believe that you are on the net enough to get FP on /. and you were able to hold a job for four years. Your spam comment is more believable than your employment history.

What about laptops

[Marrow]

If port25 is being blocked and you dont want users to change their outgoing smtp servers all the time, what is the best way to have reliable email on laptops.

Is VPN the only way to make mail reliable and consistent on laptops?

Re:What about laptops

[merdely]

I haven't seen port 465 blocked (SMTP over SSL). As an ISP, enabling [email protocol} over SSL is a good practice.

Re:What about laptops

[walt-sjc]

Why would users need to change their outgoing servers "all the time"? Why not just do it ONCE? Use port 587 (the submission port) and all will be fine.

Re:What about laptops

[Yobgod+Ababua]

VPN is indeed one choice (and a good one).

I support my remote users by having an smtp server that only accepts authenticated TLS connections. It was listening on port 25, because THAT'S THE PORT THAT WAS ASSIGNED FOR SMTP, but I'm going to have to move it elsewhere.

There doesn't appear to be a clear consensus for what port to use for authenticated smtp. Some people use 465 (assigned for SMTP over SSL), others seem to use 26, 2525, or 4025. I think I'm going to go along with stealing 26, because I want a low numbered port, don't think it's appropriate to run a non-SSL-wrapped SMTP service on 465, and because some ISPs that already block 25 also block 465.

Re:What about laptops

[Yobgod+Ababua]

Addendum to myself.

Finally found the information I was looking for...

authenticated smtp is supposed to be on port 587.

Re:What about laptops

[Marrow]

Excellent. I will research both of those topics. Thank you for responding.

Re:What about laptops

[Cpyder]

> If port25 is being blocked and you dont want users to change their outgoing smtp > servers all the time, what is the best way to have reliable email on laptops.

Authenticated SMTP over SSL. The Auth part to be able to relay mail for users you trust, SSL to prevent their login details from being stolen by middlemen looking for relays.

*cough* *cough*

*COUGH* bullshit *COUGH*

Out of this list of ISPs (AOL, Yahoo, MSN/Hotmail, Earthlink and Comcast), AOL is the ONLY ISP who is actively working in the antispam community - seriously. They've got a single contact for dealing with it and they are keeping their ax sharp and swinging it whenever needed.
All of those other 'posers are lying thru their teeth. Yahoo, MSN/Hotmail, Earthlink, Comcast? Antispam? They'd choke if they tried to say, "We're antispam". It's sad now that AOL has made a solic effort that they're going to be painted with the same brush as those other spam-havens.

it all works out for the ISPs

[mr_z_beeblebrox]

Spammers paid a lot to get their spam out and people like AOL and Earthlink cozied right up. Now it is unpopular so they pretend to be fighting spam. My guess is that then they will hold out for more profit from spammers, it is a cycle of blackmail.

Re:it all works out for the ISPs

No, spammers don't pay alot to spam - that's preciesely why they do it.

The cost sending thousands of e-mails is quickly offset if just one out of every 10000 e-mails results in a hit.

Re:it all works out for the ISPs

AOL is not pretending. Trust me.

Protect your own domain name

[Talking+Toaster]

best practices to help fight spam. The list of ISPs include the likes of AOL, Yahoo, MSN/Hotmail, Earthlink and Comcast.

Something that would really help is for these big companies to protect their own domain names by going after anyone who forges the headers as such. These days if someone isn't already in my whitelist they are probably going to get caught in my spam filters if they use any of these domain names.

Under most circumstances I think it is a bad thing for a company to throw lawyers at someone until there is nothing left but a smoking hole in the ground, but I think I would make an exception for spammers. These companies not only have the resources to make spamming unprofitable, but they have a valid, and vested interest to do so.

Penalties

If you want to kill spammers, kill thier source of income. Fine the hell out of the people ADvertising through them. Hit where it hurts (the bottomline) and spammers would be out of a job.

Re:Penalties

[Animats]

Exactly. That's what California enacted as law, and what the Direct Marketing Association successfully blocked by pushing the CAN-SPAM act through.

The California law made the "beneficiary" of the spam responsible for it. And anybody could sue. That would have made hiring a spammer very risky.

Broadly defining the "beneficiary" could go even further. The credit card service provider, and the bank behind them, could be held responsible for spam if they processed a transaction resulting from spam. They profit from it, after all. A good lawyer could make the case now that they bear some responsibility, especially if they assist in any way in concealing the identity of the spammer.

We really need to go after the payment end of spam, not the sending end.

Re:Penalties

[Dimensio]

If you want to kill spammers, kill thier source of income.

Are you sure that a bullet to the head won't be more effective? I would certainly find such a solution far more satisfying.

Re:Penalties

[jschottm]

The problem is that it's very, very easy to poison the prosecution of the beneficiary of spam. See Basics on JoeJobs Who's to say whether something like this came from you or not? :

Wild, h0t animation tool available!
See \/ar1ous polygons in full, sensual contact
FREE DEMO
CLICK HERE!!
sponge arrest carriboo spade
kumquat afredo distribution

How do you propose to demonstrate that you didn't pay someone to send it? Turn over all of your financial records to someone to show no payments to an unknown spammer in the Ukrane that runs a server or ten in China?

Trying to sue credit card companies and banks is pretty unreasonable as well. There's no easy way to verify every action that a merchant takes. Even if you suceeded in getting some kind of law to that effect passed, the cost would get handed right back to the consumers. Theoretically suing spammers could work because they are reasonably small operators with a small number of clients. When Visa has hundreds of millions of users, they can abuse them pretty freely.

If I were an ISP...

... of significant size, I would tell my userbase that you must prove to me that your system hasn't been compromised by "Zombie-Ware". A scanner utility would scan their systems remotely and lock out system found to be compromised. Any system owner that refused to be scanned would be removed from the network.

Draconian, yes, but also effective IMHO.

Mail admin here, my solution was port 26

[aardwolf204]

As a mail administrator for a medium size company I've had to deal with residential broadband ISPs blocking access to port 25 a lot lately. It was a headache explaining to employees that work at home, at the office, and at customer sites, that they must change their outgoing SMTP setting in Outlook depending on their location. This is a true PITA as lots of times your not supplied with that information (or at least it is not obvious to the non-technical people), for example, internet access in hotel rooms.

For a while the quick and dirty solution was to use webmail when in doubt but we needed something that people could live with and as much as I dislike M$ Outlook its a lot better than Horde, Neo, or Sruirrel Mail (IMO).

My 80% solution now is to handle SMTP on both ports 25 and, hehe, 26. So far so good, I'm able to go between the office and home on my laptop with no problems where as before Cox Cable wouldnt let me get to our SMTP server.

I'm wondering what other admins have had to do in this situation. I know I'm not alone here. And how do you think it will effect the propogation of spam in the future.

Re:Mail admin here, my solution was port 26

[silas_moeckel]

Why dont you get with the rest of the planet and use 587 for client mailers to connect to your server and run authentication??? It's a port that shouldent be blocked by anybody but a corperate system and if they are blocking it you shouldnt be trying to get around it :)

Re:Mail admin here, my solution was port 26

How about using the PROPER port. port 587

Re:Mail admin here, my solution was port 26

[aardwolf204]

I do run authentication and SSL is on its way, but care explaining why port 587 would be any better than, say, 26? Am I missing something here? Did I just not get the memo or were you trying to be funny.

Re:Mail admin here, my solution was port 26

[plcurechax]

As a mail administrator for a medium size company I've had to deal with residential broadband ISPs blocking access to port 25 a lot lately. It was a headache explaining to employees that work at home, at the office, and at customer sites, that they must change their outgoing SMTP setting in Outlook depending on their location. This is a true PITA as lots of times your not supplied with that information (or at least it is not obvious to the non-technical people), for example, internet access in hotel rooms.

Um. Shouldn't you be fixing the problem, which is that you want these remote users to act as if they are part of your trusted corporate network? When you look at it this way, you realise that the best (and far more secure) solution is to be using an VPN into a DMZ that can access limited services needed for tele-commuters and road warriors.

Re:Mail admin here, my solution was port 26

[aardwolf204]

Ok, this is the first I've heard of this. Got any references I should check out? Googling "Port 587" isn't leading me anywhere useful yet.

Re:Mail admin here, my solution was port 26

[aardwolf204]

True, that would be the better approach, but they want a very simple solution and so far POP3/SMTP has been working fine. I've been trying to explain the virtues of RPC over HTTP (MAPI), or even SSL IMAP / SSL SMTP but VPN is out of the question (For some reason CIO doesnt like the word). Besides this solution is universal for everyone, not just the road warriors, which means less confusion in documentation.

Re:Mail admin here, my solution was port 26

[kaisyain]

http://www.faqs.org/rfcs/rfc2476.html

Re:Mail admin here, my solution was port 26

[harlows_monkeys]

I do run authentication and SSL is on its way, but care explaining why port 587 would be any better than, say, 26?

Because port 587 is the one specified in the Message Submission RFC (RFC 2476).

Re:Mail admin here, my solution was port 26

[walt-sjc]

Maybe because RFC 2476 says it should be 587 and not 26???

Re:Mail admin here, my solution was port 26

[aardwolf204]

Ok, I googled a bit and found:

Sendmail is listening on port 587 as well as the standard port 25! What is going on?

Recent versions of Sendmail support a mail submission feature that runs over port 587. This is not yet widely supported, but is growing in popularity.

Now if listening to port 587 for SMTP is gaining popularity then thats just another reason I should not use it as once residential broadband isp's get wind of it they might start blocking that port too. This is a cat and mouse game staying away from the crowd is they way to go IMO.

Thoughts?

Re:Mail admin here, my solution was port 26

[Malc]

Your CIO is an idiot then. You can still have consistency and common settings with a VPN solution. How do your road warriors access other corporate network resources, or is that all exposed to the internet too? Why mess with all those other technologies and approaches when VPN solutions have existed for years and provide a simple and almost transparent solution? Get them going with an L2TP connection at minimum and realise how simple it is.

Re:Mail admin here, my solution was port 26

[aardwolf204]

Yes but in our experiences (well, theirs, before I was onboard), VPNs were not supported by many of the ISPs that our telecommuting employees worked from. What has you experiences been in that regard?

Re:Mail admin here, my solution was port 26

[aardwolf204]

Ok, I just read RFC 2476, Looks like R. Gellens and J. Klensin beat me to that great idea by 6 years. Thanks for clueing me in. I'm wondering to myself how the hell I would ever have found that out, I'm not one to read random RFC's. Linkies?

Re:Mail admin here, my solution was port 26

[Malc]

I've worked from home for 4.5 years for an office over 4,000 km away in another country (I'm in Canada, they're in the US). My connection has always been PPPoE over DSL, but in that time I haven't seen anybody complain about VPNs on can.internet.highspeed when using other technologies or ISPs. Nobody I know here in Toronto seems to have any problems telecommuting more locally either. I started on PPTP, a bit of L2TP, and now I'm using this very buggy Cisco VPN client - grrr. I've used ssh to tunnel to my system when I'm on the road.

It seems to me that there are increasing numbers of home routers that support VPN endpoints too. I'd be intrigued how ISPs don't support a VPN. Do they block them, or do they not provide tech support (which is fair enough)?

Re:Mail admin here, my solution was port 26

[Skapare]

Now be sure it is run in AUTH-only mode on port 587. That port is NOT for unauthorized users.

If you were an active participant in mailing lists dealing with your MTA software and/or spam issues, you'd have known about port 587 years ago. And you call yourself a mail administrator? You may be one, but you aren't putting yourself in a position to keep up to date with all the things going on. Get with the program.

Re:Mail admin here, my solution was port 26

[silas_moeckel]

I guess read the piled one RFC quotes :) But yea like I said 587 is the RFC standard port for a MUA to talk to a SMTP server. SMTP servers talk to other SMTP servers via port 25 to perserve backwards compatability.

Re:Mail admin here, my solution was port 26

[silas_moeckel]

Well the point being is that the SMTP server should only accept authenticated single hop mail on that port that from it's domain and it can verify the username/password. Realy it's ment to get around all the hacks to close open relays that broke laptops and other mobile users.

Re:Mail admin here, my solution was port 26

From what I remember the ISP was blocking them. VPN is the way to go but the the ammount of traveling our work force does and the unreliability of many ISPs all around the world that is not something I want to be supporting. We use VPN links between satelite offices but getting our road warriors to check SMTP authentication in their email client is hard enough, getting them to use VPN would be tough.

You know how it goes, everything would be fine if it werent for the users ;)

Re:Mail admin here, my solution was port 26

[amlutias]

PLEASE USE SSL

and your CIO is a moron.

Re:Mail admin here, my solution was port 26

[aardwolf204]

Thank you for the advice. I will keep port 587 AUTH only. I have never let my mail server become an open relay and never intend to. I agree, I am a newbie at administrating mail servers. I used to do web-dev work for this company but since were pretty small and the CIO decided to host our own mail I was given the task of setting up exchange. I'm fluent with server 2003, exchange, sql, sharepoint, office, etc. No, I'm not an MCSE paper monkey, yes I've been coding since I was 11 on my PC-XT, but your right, Im new at this and I need to get with the program. Instead of bashing me (unless I'm reading it wrong), could you refer me to said program. My experiences have only been within the Exchange realm and not the bigger picture of the internet.

Thank you very much in advance. I look forward to delving into whatever you point me at. I'm open minded.

Re:Mail admin here, my solution was port 26

That is one of the great things about OpenVPN it uses UDP for a transport, thus sailing by many, many problems from firewalls, ISPs, etc. (another is that it doesn't use any IPSec crap, so no kernel mods, it uses normal crypto blowfish, public key stuff, etc)
As ususal, YMMV but I think OpenVPN is a breakthrough product that is a real sleeper right now.

Re:Mail admin here, my solution was port 26

[bruthasj]

> I'm wondering what other admins have had to do in this situation.

Here's how a ton of people do it:

1. Connect to VPN.
2. Collect email.

Re:Mail admin here, my solution was port 26

[Skapare]

My first suggestion is to subscribe to the SPAM-L mailing list.

My next suggestion is to front-end Exchange with something stronger on security, especially if the machine running Exchange stores any confidential data (such as mail). For example, you can run a Postfix server on OpenBSD or Linux and configure it to accept mail for all your domains and pass them to Exchange. Put Exchange on a private IP address so it isn't reachable by the public. That will cover you between the times when exploits are revealed and you can get them installed. And this will let you build up some experience in this software, too.

And finally, help advise us on how better to get the word out to those mail admins that don't yet know. For example, what could we have done to help ensure you had become aware of these things a lot sooner? Is there some course you took that we should clue-in the teacher for? Is there some book you read that we should clue-in the author of?

might help if...

[voudras]

might help if they publish these in korean and chinese

Common Spam relays suggest Anti-Spam strategy

Considering the amount of spam I have seen from AOL, Yahoo, MSN, Hotmail and Comcast, perhaps these anti spam guidelines should be a 'best practices to avoid' list.

Related article on Reuters

[FirstTimeCaller]

I'm not totally sure if this is directly related to the ASTA statement or not, but Reuters is reporting that major ISPs are pushing to unplug spam-sending PCs.

Personally, I think that this would be a step in the right direction, but one comment in the article has me concerned...

But the group also suggested consumers be held accountable if their machines are exploited by spammers.

Is it reasonable to expect that your average home user will act as responsibly as a company's system administrator at keeping their systems patched? Heck, I'm not all that certain that the sys admins are doing all that great of a job of it (Slashdot readers excepted of course).

Re:Related article on Reuters

[Tripster]

Is it reasonable to expect that your average home user will act as responsibly as a company's system administrator at keeping their systems patched?

If they keep getting fined and/or booted by ISPs then yes it is reasonable to expect it. After all, our public highways are safer because we expect people to learn to use vehicles and to also properly maintain them mechanically. If you drive around with no brakes and cause and accident you will be held accountable.

What would you prefer? When you have idiots getting infected by viruses by actually entering a password to the encrypted zip attachment it means said user sorely needs some education about proper usage of the device in front of them. Since all the TV/Radio/Newspaper stories telling these same idiots not to open unannounced attachments don't seem to work then hitting them in the pocket book or removing them from the information highway entirely might be a better education method.

Really, the users are only stupid if you keep on letting them do the same old things without educating them, for those extra stupid you need more extreme training methods.

Re:Related article on Reuters

[jejones]

Is it reasonable to expect that your average home user will act as responsibly as a company's system administrator at keeping their systems patched?

To possibly stretch the computer user as car user metaphor beyond its elastic limit: states that have periodic car inspection laws expect car owners to keep their cars up to snuff even though average car owners aren't mechanics, so why not?

Re:Related article on Reuters

[FirstTimeCaller]

...states that have periodic car inspection laws expect car owners to keep their cars up to snuff even though average car owners aren't mechanics, so why not?

Of course a poorly maintained car can result in the death of the owner as well as others. While I hate spam as much as the next guy, it's still not a matter of life and death.

I think that disconnecting misbehaving PCs is a reasonable remedy -- but I'm opposed to instituting any kind of fines. Unless you're willing to hold the software publishers liable as well for vulnerabilities in their products (I'm guessing that with Microsoft's lobbying power we're never gonna see that happen).

Re:Related article on Reuters

[GorillaButt]

I think the ASTA folks want the owner of the compromised system to be accountable for cleaning up their machine, patching their system, running virus software, etc. I don't think anyone is saying grandma needs to go to jail :-)

Re:Related article on Reuters

[Dakota+Rider]

> But the group also suggested consumers be
> held accountable if their machines are
> exploited by spammers.

So does a consumer then get the pass-through right to sue Microsoft for Outlook's weakness? Doubtful. Nothing matches Outlook's attractiveness as a conduit for worms. Besides the numbers (no arguing with or complaining about that), the architecture sucks. Wormer's wet dream.

no preview pane!

[LuxFX]

There's a fairly important and really simple improvement that I'm surprised wasn't covered by this list. Consumers: turn off the 'preview pane' in your email client. Vendors: set the preview pane 'off' as the default when you ship email clients.

The preview pane gets people in so much trouble, especially with Outlook/Express. Without harping over the potential for automatically triggering viruses, a lesser known problem is web bugs. These little images are linked from the email, and when they are retrieved from the server, the spammer is able to record that you've viewed his/her spam. One, this lets the spammer collect statistics, which enables him/her to create a better product -- and why encourage them?

And two, it identifies what email opened the spam, which lets the spammer confirm which addresses are active. If you've viewed the spam, the spammer can put your email on a confirmed-email list, which he/she is then eager to resell at a higher price as opposed to larger lists of unconfirmed addresses.

This is always the first step I recommend to people who complain about the amount of spam they get. This trick won't necessarily reduce your current spam, but it will reduce the accelleration of spam to your inbox.

Re:no preview pane!

[YrWrstNtmr]

Preview pane is "ok" if graphics are turned off. Outlook2003 does this by default.
Graphics (webbugs, etc) only retrievable on request.
"Right-click here to download pictures. To help protect your privacy, Outlook prevented automatic download of this picture from the Internet."

Or, just read in plain text mode.

Leverage Our Assets

[Ranger]

I think we should fast track those best of breed anti-spam practices and implemented to leverage our assets for an enterprise wide robust system. So that at the end of the day we'll all come to the table and be on the same page with a turn key solution.

Oops... uh ... I forgot to take my happy pills. BRB

OK. I feel better now. We'll I'm off to carve my initials in a Moose and then herd some cats.

target audience

[earlytime]

While the authors say the target audience includes "ISPs and mailbox providers", the list of recommendations reads like a wishlist for large ISPs and email hosters. These are the things that hotmail, yahoo and earthlink want us to do so they don't get as much spam. There is very little in there recommendations that will help me get less spam. If I could use spf to know where hotmail, msn and yahoo send mail from, I'd be able to reject 30% of the spammy organization recieves. This isn't on the list of recommendations, although aol, earthlink, and gmail all do publish spf records.

It's very hard for any mail administrator to block mail from these large domains, because so much of the legitimate mail comes from their actual servers (wherever these are). I'd be happy to reject all mail addresses from msn.com or yahoo.com, but my users would see a huge increase in false positives. It's a no brainer to drop messages addresses from dailyoffers.com because I don't see any legit mail addresed from this domain anyway.

terrible ISPs

[emerika]

Earthlink and Comcast customers account for a significant amount of SPAM sent to my email server. I have contacted these ISP's repeatedly with date, time, and IP address of the offenders with zero response and I continued to be spammed by these same IP addresses.

I have Earthlink and Comcast designated as "terrible ISP" internally and now firewall out IP addresses sending spam from any ISP so designated.

When people are sending these ISPs all the information required to stop spam and they do nothing, I think anything they have to say regarding stopping SPAM rings hollow.

We are not talking best practices here, they cannot or will not do the minimum.

Re:terrible ISPs

[walt-sjc]

These ISP's need to install monitoring systems so they KNOW when zombies spew. It's a big job as these networks are Huge dealing with immense traffic, but it needs to be done. Currently it's a manual process so machine spew for weeks until an ISP takes action.

That said, I've been using DNSBL's for dynamic addresses for about a year and it has been VERY effective cutting worm / spam down by 60% or better. Local pattern matching on RDNS helps even more.

Re:terrible ISPs

Pray that you never run into such a system and run a local dns resolver. Generation 1 of such systems will think you're spewing.

Comcast giving us anti-spam techniques is like...

...Paula Abdul critiquing other people's singing talent, or Christopher Reeve judging a dance contest!

Comcast does not belong on that list, unless you're trying to prove the old saying, "Those who can, do; those who can't, teach."

OpenVPN

[dpilot]

But are there mail service outfits that support OpenVPN. F'rinstance, DynDNS.org will relay mail for you - either direction. To get around ISP blocking on the incoming side, they give a list of ports they'll support.

But that's still an incoming SYN packet, and how long until ISPs block ALL incoming SYNs? It's against my cable ISPs TOS to run ANY services on the Internet, so they're well within their rights to do this. (Can't get DSL, can't even get V.90, 28 or 32 is IT.)

While technically possible to pretend the UDP used by OpenVPN has state, as IPTable does, and use that to block it, it would be harder to manage for the entire userbase. Forwarding email over OpenVPN would be useful, and by definition protected from relaying.

It would also be no effort to block port 25 outbound, but moving that to a different port is trivial, and they're not going to block THAT without something much smarter, and much more expensive.

'bout time

[davmoo]

Its nice to see AOL, Yahoo, and Hotmail working to eliminate spam. Especially since for years they allowed the majority of spamming to take place on their networks...

Where are the best practices

[linuxwrangler]

This was just a bunch of fluff. I was hoping for some meat. The big ISPs have enough clout that if they force the issue of good practices everyone will have to adapt and the people who will have to adapt are those with broken non-RFC compliant servers.

Best practices can encompass the RFCs and extend them to, well, best practices.

For example:

Per RFCs every place a domain is used it must be fully qualified and resolvable. In addition, the EHLO is supposed to be the primary hostname of the sending machine.

Anti-spam best practice might say that the machine name must resolve back to the connecting IP. Even better, the reverse entry for the IP must include the correct hostname. This way a receiving machine can determine who the sender claims to be, that the DNS entry for that name matches the IP (anyone can spoof the header but it's lots harder to get to the DNS of a legit operation) and that the reverse DNS shows the correct hostname (which would be harder on those who have low-end connections where they don't have control over the reverse DNS entries but no problem for most IT operations - anyone with a small operation can send through their ISP anyway).

If the major ISPs required just these items to match there would be a brief period of pain while everyone scrambles to fix broken systems but the gains from stopping viruses and spam would be enormous and tracing back to and blocking the remaining spam would be easier.

I also saw nothing about information sharing among the large ISPs so they could quickly act against a spammer or quickly disable the web accounts to which the spam is directing people (carefully, of course, or fake spam could be a means of a DOS attack).

Similarly, there was no mention of blocking email where the from address doesn't match the ISP. A couple years ago I dealt with massive backscatter from spam sent by an Earthlink customer THROUGH the Earthlink server. I tried to get an answer from them on why they were allowing someone to send out email "from" our domain when they have no relationship to us. Silence. Sure this is a pain for some people but people who want legitimate extra services can sign up for them. It's not so different than paying for a static extra IPs. If you want to send from a different domain we'll unblock it for you for a small monthly fee after determining that you are authorized to represent that domain.

This just scratches the surface but all in all this "best practices" is a joke.

Re:Where are the best practices

Even better, the reverse entry for the IP must include the correct hostname.

Not better, there are many reasonable reasons why this might not be true. You might have asmalldomain.com and mx1.asmalldomain.com resolve to the same address, but the reverse lookup returns asmalldomain.com, not the mx name. You might have load balancing for larger domains, etc.
The RFC doesn't require the reverse resolve to match and it is wrong for people to assume that "something is fishy" if it does not.
Reverse lookups tend to be more expensive due to the high level of gluelessness in the in-addr.arpa "zone".

RFC-ignorant addresses some of these issues, but not all.

Re:Where are the best practices

[gblues]

Anti-spam best practice might say that the machine name must resolve back to the connecting IP. Even better, the reverse entry for the IP must include the correct hostname.

Except NAT causes this to break. Here's what happens:

• My PC (hostname is "gracie") connects to mail.msn.com on port 25 to send an e-mail.
• My PC doesn't have an internet-facing IP address. It has a non-routable IP address, and the only hostname it knows about is "gracie", so it sends "EHLO gracie.WORKGROUP"
• If mail.msn.com is configured how you prescribe, it would try to resolve gracie.WORKGROUP to my DSL modem's IP address (and, of course, fail).

Similarly, there was no mention of blocking email where the from address doesn't match the ISP.

Right, because this would break a massive amount of commonly used functionality. There would be no way to force replies to go to a specific recipient.

I tried to get an answer from [Earthlink] on why they were allowing someone to send out email "from" our domain when they have no relationship to us.

Because they have no way to prove whether or not the sender in fact has no relationship with you. And if they are going to block outbound port 25, they had damn well let me at least use my own domain when I send my e-mail through their servers!

Yes, what we need is some way to authenticate that a user is authorized to send e-mail from a certain domain, that does not rely on me actually being within that domain (i.e. sending an e-mail via Hotmail with an @yahoo.com reply-to address). However, such a system has not been implemented yet.

Re:Where are the best practices

[a24061]

Similarly, there was no mention of blocking email where the from address doesn't match the ISP.

Why should the From-address match the ISP? I work from home a lot so I send out e-mails with my work address in From and Bcc (so I can refer to them when I'm at the office).

My personal e-mails have a From-address that happens to match my ISP, but that isn't the case for many people who use a vanity domain or have different suppliers for e-mail and connectivity.

Re:Where are the best practices

[linuxwrangler]

So you are knowingly violating the RFC. Pardon me if I am unconcerned if you mail fails to get through.

And really, what's the problem?

I, too, use a firewall that incorporates NAT. The mailserver has a FQDN and resolving that name will give you the appropriate external IP address of the firewall. This would be enough but for efficiency and to deal with machines without external access I utilize a split-horizon DNS setup so that external requests get the external IP address and inside requests get the internal IP address.

Similarly, my home mailserver which also handles traffic for several friends and organizations I'm involved with has a hostname that resolves back to my static external IP address. The fact that the packets are routed through my NAT box to get to that machine is not an issue.

As to the second issue, reread my original post. Sending email with an alternate from address could be accomodated by the ISP for those who have contacted them for that "value-added" service - not for the random spammer. Note, many ISPs already do block unauthorized From addresses so I'm not inventing anything new here.

I'm with you on port blocking. I don't think ISPs have any business blocking ports. Cutting off zombie machines, sure, but not blocking ports.

forcing valid reverse domains on HELO would help

[HTD]

I run my own mailserver and when i tried to add smtp-time spam protection by checking the helo provided domain-name i found out that even big mail systems like sourceforge don't send correct helo information. the smtp rfc requires HELO/EHLO before the MAIL FROM command is issued. if the reverse-lookup of the connecting IP does not match the given domain-name in HELO command simply delay the connection for 20seconds (tarpitting) and close the connection.

This would work very nice because then you can at least identify the spammer (must have domainname + reverse entry which makes tracking down the owner of the domain quite easy) - but it does not because even the admins of big servers arent able to set these basic things up correctly.

I'd love to see these huge ISPs to start forcing correct HELO commands, this way people will start to setup things correctly. This will certainly not stop spam but it will make the senders identifyable (or make owners of hacked machines contactable). I see no valid reason why this basic feature of smtp isn't used. Okay the RFC does not make correct domain-names mandatory for the helo command, but current issues with mails do i think. Use what's there already! and kick the butts of the lazy admins.

SSH Tunnel

[santiago]

I have a command-line alias set up to use SSH port reflection from port 25 on my laptop to port 25 on my server. My mail client is then configured to use localhost as the outgoing mail server. Whenever I need to send email, I just need to enter one command in a terminal window to enable it until I move elsewhere and the connection is broken.

I used to just run sendmail directly on my PowerBook, but I got too many bounce messages from servers that refuse to accept mail from known dynamically allocated IP ranges, on the assumption that I must be a zombie spammer.

Phishing

There's a paypal phising sploit out there too, so methinks this be a troll who is also a phisher.

Not a spammer but a hacker problem I had once, he was hitting me and some people on a political forum I was moderating. I tracked him (guy in his early 20's) down (he was very surprised to get found out, BTW, I guess he thought he was elite or something) and let him know I wouldn't go to the police, or his ISP or "take him to court" or any of that nonsense, just visit severe and long lasting pain on his person and leave him unable to operate a phone, mouse or keyboard if he didn't immediately cease his anti social behavior. I'm from the old school, and this method has always worked, never seen it fail yet. He stopped what he was doing, at least to myself and some aquaintances. It's hard to track people down but you can if you get motivated and develop some alternative skills.

That's the only thing that will stop spammers and blackhats, IMO. I am not advocating anyone else do that, that's illegal of course, just relating what I did in one situation. Playing arty/armor/arty/armor in an escalation of technology won't work, all it does is waste resources and never addresses the root of the problem-that some people are just criminals and need an attitude adjustment.

As to boneheads who can't operate their computer-shut off their email if they get caught being a relay or anything, shut them off the web if they get zombiefied. If my machine gets compromised because I've been a bonehead-then so be it- I have no problenm with my ISP shutting me off until I fix it.

Earthlink != Best Practices

[Brandybuck]

I get my DSL through Earthlink, but my domain is hosted elsewhere. So I don't ever use my Earthlink email address. The ONLY legitimate email coming to that address is my monthly billing statement. And for the last few years, that's pretty much all I got. Sometimes Earthlink itself would send me spam, but it was nothing an embarassing submission to abuse@earthlink.com couldn't handle.

But they recently stopped their server-side spam filtering (Spaminator(tm)) and replaced it with client-side plugins. Overnight I started receiving thirty spams a day to an account that I have NEVER used. Besides the general annoyance that they are shuffling off anti-spam responsibilities to the customer, their plugins are for Windows Outlook and webmail only. (They say it's for Mac as well, but that's only a euphemism for "you must use webmail"). This is unacceptable.

Re:Earthlink != Best Practices

[elemental23]

But they recently stopped their server-side spam filtering (Spaminator(tm)) and replaced it with client-side plugins.

Umm, great except that the above is 100% untrue.

The only thing that's changed about Earthlink's server-side spam filtering is the name, which was changed from "Spaminator" to "Spam Blocker" for some reason probably known only by their marketing department. Spam Blocker on its 'medium' setting is exactly the same service as the old Spaminator. Further, when they changed this, my Spam Blocker was switched to the medium level by default and I saw no difference in service.

Re:Earthlink != Best Practices

[Brandybuck]

Then please tell me how to turn Spaminator/SpamBlocker back on! When I suddenly started to get deluged by spam on my mindspring account, I went to make sure it was still on. The only thing I could find was a download for a Outlook plugin. My only other alternative are to use Earthlink's TotalAccess software (unavailable outside of Windows/Mac) or use their webmail.

My assumption is that the "medium" setting is sending some spam to the webmail spam box, where it will rot silently forever. But I can find no way to turn on the "high" setting to prevent the rest of it from hitting my client inbox. If you know how, please tell me!

Re:Earthlink != Best Practices

[elemental23]

You can log into webmail to make changes, but this doesn't restrict you to using webmail to read mail. Look for "Spamblocker" on the left. This will let you toggle between off, medium, and high (which is actually their challenge-response/whitelist system).

I doubt it

[zogger]

It seems to me that if someone has a chronically broken box spewing spam and trojans and whatnot constantly, that they are exactly the types of customers the ISP's lose money on. It shouldn't bother them at all to drop a customer and save on bandwith and headaches and admin costs. Just taking in more gross revenue doesn't necessarily always mean you make a net profit on it.

Say you run a bar, and have a really obnoxious drunk, insulting people, vomiting on the floor, etc, just a PITA. He's spending money though, you are taking in more gross revenue from his business, but would you be better off kicking him out and just concentrating on the patrons who could hold their liquor? In the long run, people, the customers you really want to be regulars, will come back to the bar that keeps itself within some bounds. That's why I think blocking whole subnets is acceptable as well, there are just some places that need to be cutoff completely with interacting with the rest of the internet until they clean up their act.

Oh really??

best practices? Several of these ISPs use BrightMail... never mentioned it in the article though. I can attest to the fact that BrightMail has reduced my level of spam to such a low level I think people are lying when they say they still get spam!

Joe jobs

The problem is sometimes the organization sending/financing the spam is NOT what it appears to be. Sending offensive spam on behalf of a company you don't like is called Joe Jobbing, and it's common practice. When you take revenge, make sure you're taking revenge on the right people.

automatically refusing fake delayed bounces

[Brian+Ristuccia]

I'd be very happy if everyone could get their act together and reject undeliverable addresses during the SMTP transaction. Delayed bounces are responsible for most of the backscatter which pollutes my mailboxes and logs these days.

Sure it's best if the message can be refused during the SMTP transaction rather than bounced after the fact. But sometimes that's not possible - for example in the case where a message has already been accepted by a backup mail exchanger or when the message is detected as undeliverable by the MDA after the MTA has already accepted it. In any case, when faced with the choice of returning a message or simply discarding it, returning it will always generate the least unmitigatable collateral damage. The real owner of an envelope sender address faked on a junk message can minimize collateral damage by refusing fake bounces at the SMTP transaction level. In that case, it only cost them a few bytes of bandwidth. If junk messages are simply discarded, the sender of a misclassified message has no way to prevent, detect, or work around the silent loss of his message.

You can filter fake bounces with 100% reliability by ensuring that each of your legitimate outbound messages has a time-expired, hash-signed envelope sender. Any automatic responses or bounces which arrive and don't include a valid hash are obvious forgeries and can be safely discarded. You can even refuse these right at the RCPT stage by having your MTA return a 5xx series status code.

For more information, see this Internet Draft on Bounce Address Tag Validation (BATV) and a few shell scripts on my web site at http://osiris.978.org/~brianr/bouncevalidation/ which implement fake bounce detection at the MDA stage.

No, it's a power grab.

[twitter]

[blocking port 25 for people with owned machines] might cost the ISP's money. So instead we get a "best practice" document which preaches to the converted and achieves nothing.

No, this it the beginning of legislative effort. They clearly state this at the end of their press release. The object is to get laws passed about what ISPs do and to make the net easy for them to control. It's everything the people who designed the internet fought against and what is left will more resemble broadcast TV.

The goal, of course, is to secure government protection for the current status of the companies and to stomp out free software. Any kind of government regulations place barriers on new entrants. The proposed solutions are, in part, Microsoft solutions. Microsoft will be at an advantage to limit the number of ISPs and they can do that if legislation requires the use of Microsoft junk. Even if the members can guide the legislation and defeat Microsoft, the email authentication requirements can be used to defeat new ISP entrants. They are attempting to make the network "smart" so that they can control it.

The trend is unmistakable, these guys want to be the "asshole in the middle" of everything. They destroyed AtHome, DSL providers and all semblence of competition in the ISP market. Now they are using that control to gain even more. They have the gaul to advocate "legitimate" spam in their press release.

All of this places the blame far from where it belongs. Spam is a problem that comes from and mostly affects Microsoft run computers. It is disgusting that the trouble maker will be one of the main beneficiary of the proposed solution.

Re:No, it's a power grab.

[pe1chl]

It's everything the people who designed the internet fought against

There has been very little fighting against spam from the people who designed and fathered the Internet. Sad, but true.
When the mighty corporations take over and do things they don't like, it is mainly their own fault.
Internet mail, important as it is today, probably cannot and should not be handled by a "simple" protocol (the S in SMTP means "simple") that is so easily subverted and abused.

The Internet community should have come up with a solution instead of fighting about how this would break some special setup or some "right" that certain people seem to infer from the fact that the Internet was not regulated at a time in the past.

Re:No, it's a power grab.

Moderators: Please note that "twitter" is a known fanatical psycophant whose obnoxious offtopic rants are legend here on Slashdot. It doesn't matter what the topic is, he'll find a way to scrape in some pointless Microsoft bashing. While nobody expects us to love Microsoft in any way, his particularly tepid style of calling anyone he replies to "troll" or "liar" or "fanboy" because he happens to disagree with whatever they're saying is well documented and should not be rewarded. If anything, twitter is the type of person that should not be part of the open source/free software community. He is an anathema to all that is good about free software.

I'm posting this so that you (the moderator) have some context to consider twitter and not mod him up whenever he posts his filler preformatted rants about installing Knoppix or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.

If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than twitter. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.

To get an idea of what I'm talking about, check this post out. I mean, this is an article about email disclaimers, right? The parent of the post is complaining about the ads in the linked page and so on, and twitter actually goes off on a rant to blame it on Microsoft and recommend Lynx. WTF?

Here's another. In this post twitter not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "GNU". Yes, if you're confused, you're not alone. The reply (modded +4) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.

More? Just read though this post and the subsequent replies. I guess this stands on its own.

More? Bad spelling in astounding conspiracy theories, more offtopic FUD and uninformed "I'm right, look at me" rants, promptly proven wrong. Worse even, twitter wants to be RMS, apparently (that first one is a winner). I mean, really. You think?

FUD, FUD, FUD, FUD, offtopic FUD

Re:No, it's a power grab.

Spam is a problem that comes from and mostly affects Microsoft run computers

No, it doesn't affect mostly Microsoft "run" computers. Don't you get spam?

How did Microsoft "destroy" @Home again? @Home went down with Excite after they burned through their VC billions.

Funny that you keep quoting that article. It must be a coincidence that you are also the submitter.

Your posting history is mind boggling, by the way.

What Constitutes a Need For Mail Servers?

[schnarff]

One major question anyone reading this has to ask is -- what constitutes a "legitimate need" to run a mail server (people meeting this condition are those who ISPs should open port 25 for, according to the official doc). I run my own mail server, and have since 2000; additionally, I give out accounts to any of my friends and family that want them. The reason I do this, and the reason people get accounts on my box, is the lack of (unreasonable) restriction I impose on them: no mailbox size limit, no outbound mail size limit, as many aliases as they feel like (of course, I don't run an open relay, and I'd cancel an account instantly if I found someone spamming through it). If I were forced to move to some hosted solution, I would lose a lot of features, and have to pay to boot.

So is it necessary for me to run a mail server? No, I could technically survive without my own. Would it be a travesty if I were forced to switch to cut off spammers? Hell yes!

So until they draw the line on who "needs" to run a mail server, I can't possibly support this concept (or at least the port 25 restrictions piece of it).

Re:What Constitutes a Need For Mail Servers?

[a24061]

I agree completely. I run my own MTA for outbound mail because my ISP's mailrouters, although reliable most of the time, occasionally go horribly wrong and delay outgoing mail for up to a day.

I get my incoming mail by POP3 and I can generally tell if it is getting delayed. But the only way I can be sure my outgoing mail is working is to run my own MTA and check the mail spool. Unfortunately there are an increasing number of asinine admins using dynablock-type blacklists, forcing me to "dumbhost" (as I prefer to call it) mail to certain domains.

They are

[jgardn]

There is a group called MARID debating this issue right now. We have already decided that the way to defeat spam is first to authenticate every email. SPF and CallerID are the two major proposals for this, and right now, they are working on a compromise.

Re:Horse Balls

I use VMS mail and DECNET with no IP routing
I get no spam 'cause nobody else in the world can reach me!

Another point: web pages

[eaolson]

I understand that there is no silver bullet to end spam. But recommendation that this document does not address is the hosting of the web site advertised in the email. If spammers also could not find places to host their sites, the utility of spam (to the spammer) would significantly decrease.

The irony is that Yahoo appears to be fairly spammer-website friendly. They kill abusive Geocities pages fairly rapidly, but paying users appear to be basically bulletproof.

I've got one pet spammer (http://suburbanexpress.site.yahoo.net/) that's been hosted from Yahoo and spamming from an Ameritech DSL line since November, and neither will do anything about it.

Re:Another point: web pages

[GorillaButt]

Not so. Many forms of spam today have ZERO websites advertised like Diploma spam with phone numbers, Stock tips which simply advertise the ticker symbol, and a host of phishing and 419 scams. I do agree that sites should be shut down, but it is a secondary issue. We need to shut off the source of where the spam comes from and work back to the spammer him or herself.

Re:Another point: web pages

[eaolson]

Not so. Many forms of spam today have ZERO websites advertised like Diploma spam with phone numbers, Stock tips which simply advertise the ticker symbol, and a host of phishing and 419 scams. I do agree that sites should be shut down, but it is a secondary issue. We need to shut off the source of where the spam comes from and work back to the spammer him or herself.

A few, yes, but they're in the minority. (At least in my experience. I just checked the most recent dozen I received, and they're all advertising web pages.) I think the moral of this story is that spam is a many-headed beast, and we need to chop at all of them.

Not quite...

[Xformer]

Bouncing = rejecting an email on the receiving end for some reason

Forwarding = sending a nearly identical copy (headers and everything) of an email to another destination (what /etc/aliases and .forward files do)

"Bouncing" = Forwarding

"Forwarding" = resending (sending a copy of only the contents of the original email inside of a new email message)

Re:Not quite...

[Marillion]

Opps, overloaded definitions.

A bazillion years ago. I used a email reader called elm. Now I use mutt. The <B>ounce key is used to retransmit an original message to a new recipient. The <F>orward key is used to send a new message based upon the original message.

In MTA land, the .forward file is in effect doing what elm and mutt call bouncing. And bouncing is no such user or whatever.

I agree that retransmitting someone else's message to a new recipient will be seriously problematic in SPF land and will break ".forward" files all over the world.

Re:Not quite...

[Shirotae]

If you look at the headers of a message resent by what mutt (and eudora IIRC) calls 'bounce', you will find "Resent-From:", "Resent-To:" and perhaps other "Resent-*" headers. This is a perfectly valid way to send "the same" (i.e. same message-id) message to extra recipients after it has been delivered.

The trick with .forward causes the message to continue on its way to new destinations without really leaving the SMTP world, and without adding these extra headers.

I believe that a message that is 'resent' should go out with the envelope showing whoever resent it as the MAIL FROM, so provided that that is what SPF uses, it should work. Perhaps things that curently use .forward should be rewritten to 'resend' instead when going via public routes, thus eliminating the essentially anonymous and transparent redirection that is harder to distinguish from spam tactics.

Best Practices. Bah

[Laroue]

The only real answer is to swap it so that the sender holds the message until the receiver requests it. And that requires scrapping the existing system.
Spam is here until this incarnation of email dies, or everyone whitelists....

Hobble HMTL instead of no Preview

[redelm]

Why fully render HTML email (a mostrosity that is not supposed to exist, and I purge on sight)?

Suspiciously render what's delivered, and put placeholders for IMG tags. Like in the good ol'days, press "LOAD Images" to see it all". MS has made some very insecure design decisions.

Re:forcing valid reverse domains on HELO would hel

See this comment about the reverse stuff. The RFC only says it needs to be resolvable, anti-spam folklore has built the "reverse must equal forward" myth, no RFC says that. In fact, the RFC actually says that even if the IP that the EHLO domain field resolves to does not match the IP that the client is connecting from that fact MUST NOT be used to reject mail:

An SMTP server MAY verify that the domain name parameter in the EHLO command actually corresponds to the IP address of the client. However, the server MUST NOT refuse to accept a message for this reason if the verification fails: the information about verification failure is for logging and tracing only.

Your capo mx doesn't follow the spirit of your own rule or the RFC, I get told to connect to toner.copyshop.at and your EHLO server response says copyshop.at. So you tell me to go to toner but then you respond with something that does not appear to resolve - which is against the RFC.
Note that the RFC uses the same term "domain" which it defines in Section 3.6 for the ehlo/helo and the "ehlo-ok-rsp" server response domain "field" in the grammar which defines the protocol.

ehlo = "EHLO" SP Domain CRLF
helo = "HELO" SP Domain CRLF

ehlo-ok-rsp =
( "250" domain [ SP ehlo-greet ] CRLF )
/ ( "250-" domain [ SP ehlo-greet ] CRLF
*( "250-" ehlo-line CRLF )
"250" SP ehlo-line CRLF )

The "domain" field in the grammar doesn't mean domain like x.com, it means domain name as defined in section 3.6

This part of the RFC is conveniently ignored/overlooked by many people and long used practices make people believe that the RFC says something that it doesn't.

Introducing SRS

[rickmoen]

Marillion wrote:

I agree that retransmitting someone else's message to a new recipient will be seriously problematic in SPF land and will break ".forward" files all over the world.

Until a millisecond after the user replaces

user@domain.tld

...in his .forward file with...

|/usr/bin/srs user@domain.tld

...and the sysadmin inserts these two lines into /etc/aliases (after installing Mail::SRS from CPAN):

srs0: "|/usr/bin/srs -reverse"
srs1: "|/usr/bin/srs -reverse"

It's documented. And amply so, too.

Rick Moen
rick@linuxmafia.com

Re:Introducing SRS

[Xformer]

Have you tested that syntax with the current Mail::SRS module? Unless I'm seriously mistaken, passing the email into a program in .forward passes the entire email.

The current "srs" executable that comes with that module only translates an address, and that address has to be on the command line. The most efficient way to handle SRS rewriting is in the MTA, and there are already patches for a few of them. There's Python SRS, that can be plugged into Exim and sendmail, and there's a similar implementation in Perl that it links to. There is also an implementation for qmail. I haven't seen one yet for Postfix, but I can't see it being that difficult to implement.

In any case, the only sites that really need to implement it are those that do any forwarding or sending of email as if it's coming from a domain other than their own. In the meantime, there's a trusted forwarder list to ease the transition where it's needed.

Re:forcing valid reverse domains on HELO would hel

[HTD]

thanks for pointing that out, i fixed the helo for my server now.

I still think that valid reverse entries should be enforced though. The post you linked to makes a point for small domains - well if the reverse entry is domain.com so be it - tell the mailserver to use domain.com for helo commands. Load balancing systems consist of many mailservers - if i have a system that has 5 mailserver behind one router == on IP then i tell all 5 mailservers to use the correct name for that IP. if i run 5 server using dns-round robin i use correct names for each of the five. what sourceforge does is:

Received: from [66.35.250.206] (helo=sc8-sf-list2.sourceforge.net)
$ host sc8-sf-list2.sourceforge.net
sc8-sf-list2.sourcef orge.net is an alias for projects.sourceforge.net.
projects.sourceforge.ne t has address 66.35.250.209

which is clearly not the boxes name sending the mail, even though it could be configured correctly. Maybe i am missing some important point, but i guess setting up valid reverse lookups is possible, and should be checked.

I know that the RFC does not enforce this, that's why i _suggested_ to do so. And if the others would do it i would have noticed earlier that my setup is flawed, because others wont accept my mails.

You are wrong.

[warrax_666]

Blocking outbound port 25 has the effect that zombies cannot send mail to SMTP servers listening on port 25. (Incidentally, it also has the effect that completely legitimate and well-behaving mail servers on the network cannot do so either -- unless there is some form of more or less manual unblocking which the customers can apply for/use)

Re:You are wrong.

[matth]

We block port 25, what I've noticed though, is it seems that alot of the newer zombies are sending mail out through port 25 on our mail servers! So they just connect to the mail servers and happily start sending mail out!

Re:You are wrong.

[WoodstockJeff]

it also has the effect that completely legitimate and well-behaving mail servers on the network cannot do so either

And most ISPs will work with you on this. I spent a great deal of time on the phone with one North Carolina wireless ISP this month, fixing a problem with a zombie on their network. They are relatively new to the spam fighting game, but willing to learn. I went over the pro and con arguments of wholesale blocking of port 25 traffic, and the need for unblocking access to certain servers for certain people.

In the end, they elected to block all port 25 traffic EXCEPT that going to their mail servers, and wait to hear from their customers if it were a problem. After a week, no human users noticed... But the zombie stopped calling our servers!

Comcast?!?!

Is it just me, or does adding comcast to a group trying to prevent spam seem like a step backwards? Granted, they're finally doing something to limit the spam coming from their own network, but how long did it take them to do that?

The MS conflict of interest shows through

The recommendations for "legitimate" bulk e-mail senders are purposily vague just so that MS can continue to declair that MS bCentral.com sends "legit" bulk e-mail.

Consider the following:
"Do not harvest e-mail addresses ... without the owners' affirmative consent."

They do not provide any details as to define "owner" or "affirmative consent." Legit mailing list servers will frequently email a random string which must be replied to via email to confirm that the email address is correct and the person claiming to own it can actually recieve email at that address. MS bCentral customers will frequently send email based on the fact that someone filled out a web form *claiming* to be the owner (no confirmation via email). Hence, MS will make no distinction between email confirmation and web form "confirmation" of email subscription. In fact, MS bCentral claims no responsiblity to provide any logs as to where/when/who issued a subscription request , they only state that the customer claims that such an act took place at some unknown place and unknown time by someone claiming to own the email address. If someone accidently or purposily put an incorrect email address then the actual owner must go through the work of opt'ing out. Which leads to my next point...

- "Always provide clear instructions to customer about how to unsubscribe or opt-out of receiving e-mail."

Oh. I frequently get "clear instructions." I get clear instructions on what web page to go to. I get clear instructions on how to enable cookies in my web browser. I get clear instructions on how to check the box saying I agree with all the terms of services document for the website. Regardless of if it is clear:
- I should not have to open a web browers to opt out.
- I should not have to change how my web browser is configured to opt out.
- I should not have to agree to anything to opt-out.

Again, if it stated that a clearly documented method of removal via **email** reply (with no additional web/phone/snail-mail hoops to go through) must be provided then some of the emails sent by MS bCentral would no longer be legit. Therefore, they give a recommendation that still allows demanding the user jump through hoops via a web browser to remove themselves from the email list. The ATSA does not take into consideration the fact that just because a device is capable of recieving/sending email does not mean it is capable of web browsing. Rather, their priority is defining "legit" bulk e-mail in such a way that the opt-out methods "provided" by bCentral are legit.

The basic common sense rules of subscription and unsubscription from mailing lists do not apply to bCentral so it appears they also do not apply to the ASTA defination of "legit" bulk e-mail. When the ASTA is made up of only members that themselves follow the logical rules of mailing lists, then maybe they will make recommendations that make sense. Until then, skip the ASTA vague crap and just blacklist bCentral -- "legit" bulk e-mail my behind.

How about an ad campaign to educate people?

Seriously, why don't these guys get together and sponsor a massive ad campaign telling people something to the effect of "each year, spam costs this much, and it ends up being paid by you. stop purchasing stuff advertised through unsolicited email. it's up to you"

Increasingly, it looks like it really is up to users alone to kill spam's bussiness model. If nobody buys from them, they're toast.

I'm sure some spammer association (DMA) will object to such a campaign, but screw them, go do something useful for a change.

This is all wonderful.

This is great and they can all do more to educate consumers as well as take "best practices."

What I want it the right to hunt down and kill the worthless scum that have hijacked my domain name. They send out tons of spam daily using it as the from @domain.com. I get a several hundered "message undeliverable" messages a day as the result of my domain name being hijacked. As there is no SMTP server it's impossible for me or anyone else to send mail from my domain. All the mail to my domain is routed through NetworkSolutions and forwarded to a working addess. Zero is originated from that particular domain.

I just want to find the fucker and put my 45 up their ass and slowly pull the trigger about 5 times before I put 2 in their head. My domain is my actual given name so I consider it a valid reason to kill the worthless fuckers.

Zombies?

[matth]

So how DO you detect zombies on your network? I've wondered about this for a long time and would love to know what ports these zombies listen on so I can scan for them. Any one have any ideas?

Re:Zombies?

storm center is one place:
http://www.incidents.org/top10.php
http://www.incidents.org/
They have port details and you can add comments per port and ask questions.

Re: Shortcomings of these recommendations

[tcgroat]

The suggestions omit these important requirements, mostly for mailing list operations:

All email lists must be created by confirmed opt-in, without exception.

All subscriptions are for one mailing list only. They may never be used for any other purpose, including "related" mailings from the same organization and automatic subscription transfers to a "replacement" list if the list folds. If the subscriber didn't explicitly ask for it, it's junk mail!

Unsubscribe requests must be processed through plain-text email to an address in the originating domain.

Users should be taught to never use any URLs in unsolicited or suspect email, and that all such links should be considered malicious. In particular, "click here to remove" is to be considered synonymous with "attack my PC".

Legitimate mailing lists messages never include scripts, attachments, or executable content of any description. If executables are part of the list's charter, they will be accessed only by user-initiated download, never by attachment or automatic invokation. I could go on much longer, but that covers my most common gripes!

Microsoft Disingenuous

[Dakota+Rider]

Microsoft is being disingenuous by being a member of the group. They first need to delete Outlook completely, own up to the incredible damage its "cool" features have allowed, and then start participating in the effort to reduce SPAM and email worms. Oh, and maybe release an email client that is at least as clean as the best of the others out there.

Re:forcing valid reverse domains on HELO would hel

It could be that 66.35.250.206 which is lists.sourceforge.net (which makes sense) is a firewall machine or load balancer that all the outgoing mail goes out through and that the name is different because if someone sends incoming connections it takes a different pathway, I am not sure. I think there are just too many different firewalling and load balancing methodologies for the reverse thing to ever work consistently.

If you want to try to get admins to pay more attention to overall configuration issues and screen out those who don't follow certain RFC rules then check out RFC Ignorant
I find that domains that refuse to create and respond to proper admin addresses are people who tend to fluant other rules and netiquette. The bogusmx list is especially telling because pure spam domains sometimes will list bogus MX records.

What about using the OpenBSD spamd with greylisting to greylist everything that isn't known to fight back, when it finds an actual spammer, spamd ties up the spammer's or zombies connections (by only return one character per second) without using alot of your resources. Spammers don't make alot of noise about this because they don't want to bring attention to the only thing that is really effective as far as giving them some trouble - other than that guy who fills up their product website forms with fake credit card info Unsolic Commando. If these two techniques caught on, it could put a serious crimp in spammers easy lives.

You were forced to comply with RFC standards.

[swmccracken]

Oh no! You were forced to comply with the later RFCs!

RFC 2476 states:
3.1 Submission Identification
Port 587 is reserved for email message submission as specified in this document. Messages received on this port are defined to be submissions. The protocol used is ESMTP [SMTP-MTA, ESMTP], with additional restrictions as specified here.


In other words, for submitting to an MTA, you're supposed to be using 587, not 25, these days. 25 is for inter-MTA traffic. (In practice, allowing submissions on port 25 is often required as well, as that RFC itself states in the paragraph straight after.)

While most email clients and servers can be configured to use port 587 instead of 25, there are cases where this is not possible or convenient. A site MAY choose to use port 25 for message submission, by designating some hosts to be MSAs and others to be MTAs.

Re:You were forced to comply with RFC standards.

[geminidomino]

I fail to see where that RFC states that you MUST allow submissions on port 587. Until ISPs implement outbound 587 blocking, that stays turned off at the firewall. I still maintain that there's no reason for a residential customer to connect direct-to-mx.

Where best practices meet ISP rules, and lose

[WoodstockJeff]

We try to indulge in the "best practices". All of our servers send out their FQDNs as part of the EHLO transaction. The FQDN sent resolves to the IP sending the mail. Where this has failed is where we don't control the reverse DNS... Something most ISPs won't let you do on a DSL, which some of our customers use.

Try to explain to SBC that the reason your server's rDNS doesn't match the FQDN is that their rDNS is wrong. I tried that, the first time SBC bounced mail from the server in question. I was told that DNS was my responsibility, unless I was willing to turn it entirely over to them... for an extra charge, and they still wouldn't fix the rDNS, if we did. The third time the second-level tech told me to "fix our own DNS", I requested that he delegate the rDNS for the 65.43.0.0/16 subnet to me, and I'd fix it in an hour!

(of course, the rDNS for some of the other IPs in that block might stop working right, but that isn't MY problem...)

Re:forcing valid reverse domains on HELO would hel

[WoodstockJeff]

Postfix allows you to configure "don't accept without HELO/EHLO", "don't accept without FQDN in HELO/EHLO", and several other restrictions.

As for having the HELO match the domain of the envelope sender, well, that's tougher. We only host about 50 domains, but they all pass through two servers. Due to the way DNS works, it's not a "best practice" to list "mx.domain1.net" as the mail exchanger for "domain2.net" (although some major ISPs do it), so domain2.net might list list "mx.domain2.net", giving the same IP as "mx.domain1.net" uses. What should the mail server send as a HELO when forwarding mail for domain2.net?

We solved this by always having the mail servers send their own host names. All the domains claim their own FQDN mail server, with the IP of the consolidated server. If you do a MX lookup on the envelope sender, you'll get a matching IP with the sending computer. If you do an rDNS lookup, you'll get a matching host name for the HELO hostname. And, now, if you do an SPF lookup on the domain, you'll also get confirmation of the server's validity in handling mail for that domain. We're going to implement Microsoft's "CallerID for email" when/if we decide we can live with the license agreement...

Just validating HELO==rDNS or that the HELO matches the domain of the MAIL FROM is something the spammers have moved beyond already. Hundreds of times per day, I get things like the following:
HELO pcp03753391pcs.walngs01.pa.comcast.net
The rDNS on the IP matches the HELO command perfectly... but, it's not a valid mail exchanger for COMCAST.NET. Without additional help, all the spammer has to do is claim a MAIL FROM in the COMCAST.NET domain to get in, if you ONLY validate the HELO against the rDNS.

Right now, we have filters in place to block certain HELO/EHLO domains. We block any attempt to claim to be one of our servers, or any claim to be "aol.com" or "yahoo.com" (both use rDNS-matching FQDNs in their HELOs), but can't do that for HOTMAIL.COM or MSN.COM, because SOME Microsoft servers just send "HELO HOTMAIL.COM", just like the spammers. Grrr...

Screw Earthlink.

The list of ISPs include the likes of AOL, Yahoo, MSN/Hotmail, Earthlink and Comcast.

The reason I dropped Earthlink in the first place was because THEY were spamming me. I doubt if their heart is suddenly in it.

Impasse: the SMTP VRFY command....

[iamcf13]

I skimmed through the pdf file and it mentioned verifying the sender of an email message. That can be done by connecting to the sender's mailserver and issuing a VRFY command for that sender. The problem is, is that because of spammers, the VRFY command has been 'disconnected' to prevent dictionary-style attacks to guess user email addresses.

To have the best of both worlds, bring back the VRFY command to verify single email addresses AFTER waiting for some long delay (such as 50 odd seconds as Outlook Express will 'time out' after 60 seconds of inactivity). This way, spammers are thwarted and senders are verified. In an earlier post on another thread I suggested only having official, DNS-recognized mailservers talk to one another and nobody else will go a long way to cut down spam and eliminate the layer of IP address anonimity given spammers by open/Trojan-created relay mailsystems.

Perhaps I'm just being simple

[james_bray]

But surely the best way to avoid spam is to:

1. Pick an email address that is not easily auto-generated.

2. Only give this email address to friends/colleagues. Dont use it for newsgroups, email-subscription, etc.

This works a treat for me. I have one email address that I use for work that I setup a year ago, and have not had a single spam to date. I have another email address (on Yahoo!) for everything else.

Or am I missing something obvious?

James

Auto generated temp addresses

[jazeeb]

I created a simple script to generate temporary email addresses that I can use to post on the web. I send an email to temp_address@mydomain.com and qmail sends me an email address that forwards mail to my normal address in a form like expire_07day_20040618_103454fqcv@mydomain.com my crontab removes the aliases that are older than 7 days. Very convenient and works nicely. Coincidentally, Yahoo mail added this type of feature at about the same time I did.