Slashdot Mirror
Major ISPs Publish Anti-Spam Best Practices
wayne writes "The ASTA, an alliance of major ISPs, has just published a set of best practices to help fight spam. The list of ISPs include the likes of AOL, Yahoo, MSN/Hotmail, Earthlink and Comcast. The recommendations include such things as limiting port 25 use, rate limiting email, closing redirectors and open relays, and detecting zombies. For details, see the ASTA Statement of Intent (pdf) or any of the ISP's antispam websites."
Several large ISPs are backing SPF. I even noticed my ISP, Verizon, who tend to be quite lazy and stupid when it comes to spam (and other things), have added an SPF record.
...but the people that would really read these things are the one that know how to avoid most spam already, aren't they? I doubt my parents would even stumble across any of these resources in their daily submitting of their email addresses to every form they can find.
Spammers are like a retrovirus. The will adapt to any system you construct. Creating a list of what every major isp will do to combat them will only serve to accelerate their evolution and make them more effective spammers.
Well.. maybe. Or Maybe not. But Definitely not sort of.
I am thinking about setting up my own personal mail server for my small business.
Is there a guideline that can help me figure out what steps I need to take to harden my mail server?
I will be using either Postfix or Microsoft Exchange.
As long as i still can run my own smtp server.
They can limit outbound port 25 because i still can forward my email through their official smtp server. If they limit inbound port 25, it will suck big time.
How many of those ISPs were caught in pink contracts?
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
...let's just all do something before the government really starts to regulate things. I'm stupid about such things, so out of curiosity why hasn't the w3c or the people who write the RFCs come up with some new SMTP spec?...please...
Summary of ASTA Recommendations
Makes me really glad that I push all my email backwards and forwards through an openvpn connection to my mail server now. As long as my ISP doesn't block UDP port *mumble* I'll be fine.
My wife was not so lucky. She was unable to send email a few weeks ago when our cable modem provider instituted outbound port 25 blocking. Luckily it's really easy to set postfix up to listen for smtp on another port as well - one quick config change and she was back in business. I'm planning to install openvpn for Windows on her box one of these days.
I'd be very happy if everyone could get their act together and reject undeliverable addresses during the SMTP transaction. Delayed bounces are responsible for most of the backscatter which pollutes my mailboxes and logs these days.
Qmail, I'm looking at you. People who don't run something like LDAP on their secondary MXs, I'm looking at you.
I'm almost to the point of blocking the null sender from certain hosts, just because they are nothing but crap. I know all about the RFC (and rfc-ignorant.org), but they're causing a serious problem for the rest of the world.
The worst part is for people who run control panels like Plesk. They have to run qmail (no choice in the matter), and so they either become a delayed bounce source, or they enable the catchall and get to suck down all that mail. They can't win.
Most of exchange problems occur when you have an exchange server being the SMTP gateway. IF I were you, find a product to be the SMTP gateway that doesn't use anything made by Microsoft. There are also serious problems using the IIS SMTP service to talk to exchange. So, in short, get another kind of SMTP gateway to run the SMTP service, and then run Exchange behind it forwarding all mail to your non-microsoft gateway.
But, of course, that might cost the ISP's money. So instead we get a "best practice" document which preaches to the converted and achieves nothing.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
If port25 is being blocked and you dont want users to change their outgoing smtp servers all the time, what is the best way to have reliable email on laptops.
Is VPN the only way to make mail reliable and consistent on laptops?
*COUGH* bullshit *COUGH*
Out of this list of ISPs (AOL, Yahoo, MSN/Hotmail, Earthlink and Comcast), AOL is the ONLY ISP who is actively working in the antispam community - seriously. They've got a single contact for dealing with it and they are keeping their ax sharp and swinging it whenever needed.
All of those other 'posers are lying thru their teeth. Yahoo, MSN/Hotmail, Earthlink, Comcast? Antispam? They'd choke if they tried to say, "We're antispam". It's sad now that AOL has made a solic effort that they're going to be painted with the same brush as those other spam-havens.
Spammers paid a lot to get their spam out and people like AOL and Earthlink cozied right up. Now it is unpopular so they pretend to be fighting spam. My guess is that then they will hold out for more profit from spammers, it is a cycle of blackmail.
best practices to help fight spam. The list of ISPs include the likes of AOL, Yahoo, MSN/Hotmail, Earthlink and Comcast.
Something that would really help is for these big companies to protect their own domain names by going after anyone who forges the headers as such. These days if someone isn't already in my whitelist they are probably going to get caught in my spam filters if they use any of these domain names.
Under most circumstances I think it is a bad thing for a company to throw lawyers at someone until there is nothing left but a smoking hole in the ground, but I think I would make an exception for spammers. These companies not only have the resources to make spamming unprofitable, but they have a valid, and vested interest to do so.
Howdy Doodly Doo!
Anybody want some Toast?
If you want to kill spammers, kill thier source of income. Fine the hell out of the people ADvertising through them. Hit where it hurts (the bottomline) and spammers would be out of a job.
As a mail administrator for a medium size company I've had to deal with residential broadband ISPs blocking access to port 25 a lot lately. It was a headache explaining to employees that work at home, at the office, and at customer sites, that they must change their outgoing SMTP setting in Outlook depending on their location. This is a true PITA as lots of times your not supplied with that information (or at least it is not obvious to the non-technical people), for example, internet access in hotel rooms.
For a while the quick and dirty solution was to use webmail when in doubt but we needed something that people could live with and as much as I dislike M$ Outlook its a lot better than Horde, Neo, or Sruirrel Mail (IMO).
My 80% solution now is to handle SMTP on both ports 25 and, hehe, 26. So far so good, I'm able to go between the office and home on my laptop with no problems where as before Cox Cable wouldnt let me get to our SMTP server.
I'm wondering what other admins have had to do in this situation. I know I'm not alone here. And how do you think it will effect the propogation of spam in the future.
Im dreaming ofa big bndwdth, That can resist the
might help if they publish these in korean and chinese
While the authors say the target audience includes "ISPs and mailbox providers", the list of recommendations reads like a wishlist for large ISPs and email hosters. These are the things that hotmail, yahoo and earthlink want us to do so they don't get as much spam. There is very little in there recommendations that will help me get less spam. If I could use spf to know where hotmail, msn and yahoo send mail from, I'd be able to reject 30% of the spammy organization recieves. This isn't on the list of recommendations, although aol, earthlink, and gmail all do publish spf records.
It's very hard for any mail administrator to block mail from these large domains, because so much of the legitimate mail comes from their actual servers (wherever these are). I'd be happy to reject all mail addresses from msn.com or yahoo.com, but my users would see a huge increase in false positives. It's a no brainer to drop messages addresses from dailyoffers.com because I don't see any legit mail addresed from this domain anyway.
This was just a bunch of fluff. I was hoping for some meat. The big ISPs have enough clout that if they force the issue of good practices everyone will have to adapt and the people who will have to adapt are those with broken non-RFC compliant servers.
Best practices can encompass the RFCs and extend them to, well, best practices.
For example:
Per RFCs every place a domain is used it must be fully qualified and resolvable. In addition, the EHLO is supposed to be the primary hostname of the sending machine.
Anti-spam best practice might say that the machine name must resolve back to the connecting IP. Even better, the reverse entry for the IP must include the correct hostname. This way a receiving machine can determine who the sender claims to be, that the DNS entry for that name matches the IP (anyone can spoof the header but it's lots harder to get to the DNS of a legit operation) and that the reverse DNS shows the correct hostname (which would be harder on those who have low-end connections where they don't have control over the reverse DNS entries but no problem for most IT operations - anyone with a small operation can send through their ISP anyway).
If the major ISPs required just these items to match there would be a brief period of pain while everyone scrambles to fix broken systems but the gains from stopping viruses and spam would be enormous and tracing back to and blocking the remaining spam would be easier.
I also saw nothing about information sharing among the large ISPs so they could quickly act against a spammer or quickly disable the web accounts to which the spam is directing people (carefully, of course, or fake spam could be a means of a DOS attack).
Similarly, there was no mention of blocking email where the from address doesn't match the ISP. A couple years ago I dealt with massive backscatter from spam sent by an Earthlink customer THROUGH the Earthlink server. I tried to get an answer from them on why they were allowing someone to send out email "from" our domain when they have no relationship to us. Silence. Sure this is a pain for some people but people who want legitimate extra services can sign up for them. It's not so different than paying for a static extra IPs. If you want to send from a different domain we'll unblock it for you for a small monthly fee after determining that you are authorized to represent that domain.
This just scratches the surface but all in all this "best practices" is a joke.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
I have a command-line alias set up to use SSH port reflection from port 25 on my laptop to port 25 on my server. My mail client is then configured to use localhost as the outgoing mail server. Whenever I need to send email, I just need to enter one command in a terminal window to enable it until I move elsewhere and the connection is broken.
I used to just run sendmail directly on my PowerBook, but I got too many bounce messages from servers that refuse to accept mail from known dynamically allocated IP ranges, on the assumption that I must be a zombie spammer.
I get my DSL through Earthlink, but my domain is hosted elsewhere. So I don't ever use my Earthlink email address. The ONLY legitimate email coming to that address is my monthly billing statement. And for the last few years, that's pretty much all I got. Sometimes Earthlink itself would send me spam, but it was nothing an embarassing submission to abuse@earthlink.com couldn't handle.
But they recently stopped their server-side spam filtering (Spaminator(tm)) and replaced it with client-side plugins. Overnight I started receiving thirty spams a day to an account that I have NEVER used. Besides the general annoyance that they are shuffling off anti-spam responsibilities to the customer, their plugins are for Windows Outlook and webmail only. (They say it's for Mac as well, but that's only a euphemism for "you must use webmail"). This is unacceptable.
Don't blame me, I didn't vote for either of them!
Is it reasonable to expect that your average home user will act as responsibly as a company's system administrator at keeping their systems patched?
If they keep getting fined and/or booted by ISPs then yes it is reasonable to expect it. After all, our public highways are safer because we expect people to learn to use vehicles and to also properly maintain them mechanically. If you drive around with no brakes and cause and accident you will be held accountable.
What would you prefer? When you have idiots getting infected by viruses by actually entering a password to the encrypted zip attachment it means said user sorely needs some education about proper usage of the device in front of them. Since all the TV/Radio/Newspaper stories telling these same idiots not to open unannounced attachments don't seem to work then hitting them in the pocket book or removing them from the information highway entirely might be a better education method.
Really, the users are only stupid if you keep on letting them do the same old things without educating them, for those extra stupid you need more extreme training methods.
One major question anyone reading this has to ask is -- what constitutes a "legitimate need" to run a mail server (people meeting this condition are those who ISPs should open port 25 for, according to the official doc). I run my own mail server, and have since 2000; additionally, I give out accounts to any of my friends and family that want them. The reason I do this, and the reason people get accounts on my box, is the lack of (unreasonable) restriction I impose on them: no mailbox size limit, no outbound mail size limit, as many aliases as they feel like (of course, I don't run an open relay, and I'd cancel an account instantly if I found someone spamming through it). If I were forced to move to some hosted solution, I would lose a lot of features, and have to pay to boot.
So is it necessary for me to run a mail server? No, I could technically survive without my own. Would it be a travesty if I were forced to switch to cut off spammers? Hell yes!
So until they draw the line on who "needs" to run a mail server, I can't possibly support this concept (or at least the port 25 restrictions piece of it).
How To Get Humans To Mars
I understand that there is no silver bullet to end spam. But recommendation that this document does not address is the hosting of the web site advertised in the email. If spammers also could not find places to host their sites, the utility of spam (to the spammer) would significantly decrease.
The irony is that Yahoo appears to be fairly spammer-website friendly. They kill abusive Geocities pages fairly rapidly, but paying users appear to be basically bulletproof.
I've got one pet spammer (http://suburbanexpress.site.yahoo.net/) that's been hosted from Yahoo and spamming from an Ameritech DSL line since November, and neither will do anything about it.
Blocking outbound port 25 has the effect that zombies cannot send mail to SMTP servers listening on port 25. (Incidentally, it also has the effect that completely legitimate and well-behaving mail servers on the network cannot do so either -- unless there is some form of more or less manual unblocking which the customers can apply for/use)
HAND.