ISP Responsibility in Fight Against Spam

netpulse writes "Over at CircleID, John Levine shares a letter by Carl Hutzler, AOL Postmaster and Director, blaming irresponsible ISPs as key part of the problem in the long-term fight against spam. Hutzler says: "Spam is a completely solvable problem. And it does not take finding every Richter, Jaynes, Bridger, etc to do it (although it certainly is part of the solution). In fact it does not take email identity technologies either (although these are certainly needed and part of the solution). The solution is getting messaging providers to take responsibility for their lame email systems that they set up without much thought and continue to not care much about when they become overrun by spammers. This is just security and every admin/network operator has to deal with it. We just have a lot of providers not bothering to care.' To which John Levine adds: 'What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost, is better for the net and themselves than limping along as we do now?'"

The problem

Is that some of the worst offenders are the biggest. Do you want to cut off your customers from another ISP because the other ISP is an idiot? Maybe, until your own customers get upset because they no longer receive mail from their friends at the other ISP.

Re:The problem

[scooby111]

It's not even necessarily the ISP. I know that my mail servers aren't being used by spammers because I monitor them carefully. We have corporate customers that run their own email servers on our IP blocks that are overrun. We try to work with them to close down open relays or even suspend accounts when they seem unwilling or unable to stop spamming, but there's only so much we are able or willing to do to shut down a clueless netadmin's mail server.

In the end, they'll go somewhere else to spam and we'll lose the revenue.

Re:The problem

Well tough shit for your bottom line asshole. It's your attitude shared by many others that have us STILL dealing with this retarded issue. Don't allow them to run their own servers unless you configure for them etc etc....fucking prick!

Re:The problem

[scooby111]

Thanks. Do you honestly think that any ISP's admin gets to make revenue decisions. If I started shutting off customers because they are inept netadmins, I'll get fired. What good will that do. The only way that it's going to change is if the government makes the ISP liable for spam sent from it's ISP block. When that happens, technologies that can stop the spam cold will finally start to seem cost effective and rational. I suspect that many small ISP's will simply go out of business if it happens. In the end you'll be able to have AOL, Earthlink, or Comcast. Is that what you want?

Re:The problem

[scooby111]

Thanks. Do you honestly think that any ISP's admin gets to make revenue decisions? If I started shutting off customers because they are inept netadmins, I'll get fired. What good will that do. The only way that it's going to change is if the government makes the ISP liable for spam sent from it's ISP block. When that happens, technologies that can stop the spam cold will finally start to seem cost effective and rational. Only then will the bigwigs that get to make the decisions start allowing admins like me to block the spam directly of disable the offender's account.

I'm not talking dialup users, we already disable their accounts when we see suspicious activity, I'm refering to big corporate customers. You know, the type that should know better. The ones that pay over $1000/month for their internet access.

I suspect that many small ISP's will simply go out of business if they're held responsible. How about holding the spammers themselves responsible? In the end you'll be able to have AOL, Earthlink, or Comcast. Is that what you want?

Re:The problem

[Zocalo]

Or, to turn that on its head, when your RFC breaking "spamblocker-challenge" doesn't work (because it's an ill thought out hack) would you want to cut your customers off from receiving email from Europe and Asia just so you have less spam to deal with? Further more, despite numerous complaints from both your own customers, people trying to communicate them and the threat of a class action lawsuit, would you continue that practice for more than a month?

If you answered "yes" to those questions, then a career at Verizon is waiting for you, because that is exactly what they are doing. If ISPs are going to take responsibility for blocking spam and the prevention of the creation of BotNets that originate most of it then they need to take more care than these idiots.

Re:The problem

%*#&!@(!)!!! First time I was bitten by the timeout. Full comment below....

Re:The problem

[MightyMartian]

Look, you have your IP block, and it's your damn responsibility to make sure that it isn't being abused. The problem is there are too many revenue hungry ISPs out there who refuse to take any damn responsibility for the crap being puked out of their networks, and when guys like me, suffering joe jobs and distributed dictionary attacks try to contact you guys, we either get no response, or just "we're merely the upstream provider, you'll have to talk to them".

Quite frankly, I think IANNA and the other IP provisioning authorities should start threatening guys like you with loss of your subnets if you don't start policing the traffic. Guys like you have cost my company thousands of dollars as we try to protect our customers (and in some cases our equipment) from attacks coming from lazy, greedy networks filled with simpering yes men and bloated CEOs and CIOs. Your attitude is typical of the irresponsible twits who have allowed this poison to screw things up.

Re:The problem

[scooby111]

I agree, it is my responsibility. Do you have any idea how to accomplish that? We monitor connections for suspicious activity. We watch logs of bouncebacks. When we get abuse reports, we investigate them thoroughly. We forward the abuse reports to the admin in question and they either ignore it or have no idea how to fix the problem. If they ask for help, we give them what help we can. If we keep getting abuse reports, we shut the account down.

Usually at this point, someone in management gets an angry email from the account threatening to quit and I get the directive to re-enable the account and I can't convince them other wise. Rinse, repeat.

What exactly would you have me do differently? We've discussed the ability to block outgoing port 25, but nobody in the front office wants to go for it. I for one welcome a law that finally allows me to enforce some filtering without getting fired for it.

Re:The problem

[flibuste]

That is true, but one way or the other users will whine.

How about voting laws to send spammers to long-term jail?

Yes, I'm stupid the answer is obvious...PROFIT

Re:The problem

[techno-vampire]

In the long run, outbound port 25 blocking saves money. Instead of having to pay for the bandwidth used by a zombie to relay spam, all you get is a bunch of outgoing requests dropping on the floor. Suggest this to your PHB's and see if it helps.

Re:The problem

[sjames]

Look, you have your IP block, and it's your damn responsibility to make sure that it isn't being abused.

Actually, the more attention you pay to what your customers' customers are sending over your network, the more legally liable you might be held for anything that slips through. The phone company isn't held responsable if a bank robbery is planned over the phone only because they make no effort to control what is said. (In other words, because they are a common carrier).

As soon as you start controling what your users can put out on the net, you lose common carrier protections.

Keep in mind that the same tactics that help you clamp down on spam will keep you from playing dumb when the Scientologists or others want to SLAPP your customers.

Other things that hinder spam prevention include pointy headed morons who report legitamate mails as spam because they can't be bothered to unsubscribe to double opt-in lists that they DID subscribe to, blackhole lists that carpet bomb large groups of people everytime one unrelated abuser sends a spam (even if that abuser is null routed), or who include sites that somehow offend their political or social values, or might have said something bad about them. There's a reason spamasassin doesn't just take any blackhole list's word for it. Anyone who can't be bothered to check if the From: field is forged before badgering half the world's postmasters, etc.

The last thing we need is to make sure the above foolishness becomes fatal to all but AOL and Earthlink.

Ultimatly, spam will go away when people stop buying things from spammers. Nothing else will likely manage it.

The natural extension to your argument is that automakers are liable for drunk drivers, the phone company is liable for telemarket scams, and of course, the post office is liable for mail fraud.

Re:The problem

Until governments start treating spammers as terrorists and make it open season to kill them, there is no hope.

Re:The problem

[geminidomino]

In the end, they'll go somewhere else to spam and we'll lose the revenue.

So it's better for you to profit from the spammer than for someone else to, since someone is going to?

Congratulations, you are part of the problem.

Re:The problem

[EvilAlien]

Thank you, this has to be the most insightful comment on this thread yet. Spam is not a simple problem, and the blame for the problem isn't solely on the shoulders of ISPs any more than on the shoulders of the people who insist on not securing their PCs or clicking on trojanzombie-ladden emails.

There are real risks involved in solving the spam problem with knee-jerk big brother tactics. ISPs fail to be about free exchange of information when common carrier liability exemptions go away, and nothing is worth risking that. Spammers need to be treated like the criminals they are, and people who fail to secure their email servers and PCs need to face real consequences as well. The US, though the hosts for the source networks of at least 25% of the world's spam on any given day, needs to work with other governments, just as those governments need to work with others.

Re:The problem

Do you want to cut off your customers from another ISP because the other ISP is an idiot?

Yes.

Maybe, until your own customers get upset because they no longer receive mail from their friends at the other ISP

Then explain WHY. The other ISP allows spammers to use their service and does nothing to stp them. Either your customers will understand and thank you for your efforts, or they will leave and go elsewhere. Either way, what's the problem???

Re:The problem

We just have a lot of providers not bothering to care...In the end, they'll go somewhere else to spam and we'll lose the revenue.

Well I lost one two weeks ago for this very reason. The customer is a prominant business (one of the largest in one of the communities we service, in our area of about 1/4 of a state). They left for Qwest after a year of absolute refusal to address their IT disasters, leading up to the final "last straw" incident in December.

In typical "smaller business with bigger infrastructure requirements", this is a real estate office with several dozen workstations for agents. They have several NT4 servers (patchlevel zero - never been patched), running IIS, FTP, Telnet, Exchange, filesharing, etc. Internet access is critical for updating listings, and they had a dedicated connection through my network. Unfortunately, they inadvertantly became a hosting site for spammers. Not only does this consume network and server resources (and represents a significant security disaster), but this also invites retaliation. Three times during 2004, DDoS retailation caused significant impairment to my network and outages to their service.

Their response? Blame the ISP. Refusing to address their security nightmare, I had to rate shape them in order to restrict DDoS impact, filter countless port ranges and spend no less than 10 hours a month to dealing with their mess. Finally they solved it for us this month by replacing their dedicated service with a $50/month Qwest DSL line. I'm sure Qwest will give them the 24x7 on-call support we provided for this rate and allow them to exhaust Qwest's community network's capacity with DDoS attacks.

So yes, they will leave the ISP when security is taken seriously? I'd care only from the visibility this client has in their community, but fully recognize that if they continue to get hacked and ignore their responsibility for operating a reliable IT system, they will eventually suffer the consequences.

Now if we can get GAAP-like requirements for information security passed and make it a crime to run a neglected IT shop... but I digress!

Re:The problem

[Pxtl]

That solves the spam problem, but it doens't fix all the other things that one can do with an insecure box - DDOS, dictionary, etc. Besides that, it punishes people who are perfectly capable of running a mailserver.

Re:The problem

[einhverfr]

I run a small business. I run my own email and web servers. My ISP (Northwest Internet) allows me to do this, and they have been very helpful. Yes, I monitor my email servers, Yes, I test any messaging solution to make sure it is not an open relay before bringing it online. So what you are saying is that I should not be allowed to host my own email servers. That is not an acceptable solution for my business.

No, I don't send out UCE/Spam.

Now, my ISP is not lax about these issues. For example, many of my customers have received calls about them sending out mass mailers. If something seems amiss, they will certainly call about it first before they take any further action.

They will try to work with their customers to a) let them know there is a problem and b) give them a reasonable ability to solve it.

However, I am sure that if one abuses their network that they will pull the plug on the account. They just know that if they do this without making a good faith effort to make things work for the customer, they risk being sued by the customer (for lost business, etc). I have been relatively happy with their service.

Quite frankly, I think IANNA and the other IP provisioning authorities should start threatening guys like you with loss of your subnets if you don't start policing the traffic.

Hmmm.... I think that if there is a drought and you water your lawn, the city might be able to shut off your water if you want to set this sort of precident. Maybe they should. If you get heatstroke and require emergency medical attention, that is still *less than the monitary damage* that taking down my internet line would provide.

Guys like you would make it impossible for me to carry on my own operations and help my customers run their email servers on-site. This would have cost me hundreds of thousands of dollars too. So who wins? Furthermore, it would make it impossible for my customers to have third parties host their email because they need more accounts than their ISP gives them and this would cost each of them hundreds of thousands of dollars. Put simply, encouraging ISP's (using the means you suggest) to prevent their customers from running email servers will get everyone nowhere real fast including, I suspect, your business.

Look, the answer is to let the market work. We already have RBLs which help this happen. I have seen at least one ISP go out of business because they were blacklisted after spammers took over their email servers. That seems fair enough.

Re:The problem

[Zphbeeblbrox]

I have little sympathy for users who and companies who get buried by spam. The solutions for their problems are out there. Any company not pushing a client like Thunderbird with "real" built in spam filtering deserve what they get. There is no excuse for using outlook anymore. I honestly don't have a spam problem. I may get 50+ spam mails a day but I don't see a single one of them. Every one except for the occasional mail a month gets swept into my spam box and then automatically cleaned out of there after a set period of time. Users will stop buying spam when spam stops showing up for them. And educating users on how to avoid it has to be part of the problem.

Re:The problem

[secolactico]

There is no excuse for using outlook anymore.

Yes, there is. And there will be until some full featured PIM+email comes along. I'm waiting for Mozilla's calendar project to mature, but for the time being, I *need* (and so do many others) a PIM integrated to my email client.

And there are filters you can use with Outlook: popfile is one of them. Works pretty well in my experience.

Of course, filtering on the client side doesn't really solve the problem. The spam message arrived in your inbox and used resources to get there.

Having done sysadmin duties for a medium sized ISP, open relay mail server are no longer much of a problem. Most of the spam reports we got was for all those spam relaying zombies that seem to exist in every other IP address. We would usually contact a customer (verbally and written) when we got a complaint a second time, their address was blocked.

Dialup IPs were denied SMTP access except to designated mail relays.

Re:The problem

hmmm, All this talk about spam and money hunger back stabbers. Yet all you lazy fucks can't get off your ass and use a spam proxy to filter your own incomming mail. Go figure, No wounder people have spam problems. I know I sure don't and I get as much as 1000 emails a day, and everyone is important. So do yourself a favor, get off your lazy ass, learn how to point click and install a spam proxy and Good bye spam problem.

That a spcial bulletin for all you numb nut idiots who think you know it all about administrating a national network that provides global internet access.

Maybe the problem isn't us, maybe the problem is you. With your no firewalling, pos-non working un-updated virus scanner, non-using spam proxy, and relay ridden computer.

Stuff that down your know it all pipe and a smoke it.

Re:The problem

[MightyMartian]

Now where did I mention people legitimately and responsibly running mail servers? If your ISP says its fine, and you're making sure that you're not a relay, then I have no complaint. However, some residential customer that has had his computer turned into a zombie should not be permitted to blast the Internet with thousands of attacks an hour.

Don't believe me? We got hit last spring with a million attacks or more a day, and were ultimately forced to bury our mail server behind a Postfix server on a Linux box. Most of these attacks were coming from cable and DSL accounts, in the hundreds of thousands. We got dinged by our provider for popping above our 95th percentile limits, not to mention my time building and testing the new box.

So I don't see any problem at all with blocking port 25 by default for the average residential and small business customer. If they want to run a mail server, and their ISP allows it, then great. But it's still, in my opinion, the ultimate responsibility of the ISP to make sure that that server is behaving itself.

Re:The problem

[tacocat]

I heard the same argument about why Dow Chemical needed to manufacture Agent Orange. Because if they didn't, someone else would. And given that inevitability, they were only missing the financial profits.

I'm surprised no one has tried that argument for rape.

Re:The problem

[einhverfr]

The market works this way already to some extent. I like my ISP because they are relatively concerned about security (they do have IDS systems which also scan for virus activity and adaptively attempt to block it). If I had my email through them, I wouldn't get any spam. So they are popular and for good reason.

So the market already works this way. Let me give you an example of the flip-side.

There was another ISP in town for a while. The owner hired a student to set up his Linux systems and then when the student went back to school, he tried to run all he servers via webmin. He didn;t understand Linux. He didn't understand the server software, and he was running Sendmail. On top of this, he never kept anything up to date.

So...

A couple of years ago, his email servers get overrun by spammers and his domain gets blacklisted. His customers call for tech support (why people are rejecting their emails), etc. And last year, he went out of business. Everybody eventually understood that he was not able to maintain the technical infrastructure in a secure fashion. So NWI is growing, while this other ISP is out of business.

Now... you have another issue too-- if I have a dedicated web server which has an emailer on it, there is no reason I can't use SSH to cause this other server to send out email. Thus again I abuse my ISP;s network without them having the ability to stop it.

Now, regarding what we need to do about Spam--- there are two issues:

1) Organized crime and zombies. This problem needs to be dealt with by good old-fashioned law enforcement work. We need to catch the people who release and control the zombies. Firewalls would also be helpful in this so XP SP2 may be a good step.

2) Mass direct mailers with off-shore servers. This is easy. RBL's do most of that work already.

We are getting to the point where spam can be fought using ordinary means without resorting to filtering TCP 25.

My concern though is that the more pressure that is applied via regulation, etc. the more likely it is that it will be impossible for my small home-based business to be able to have my own domain name where I can access my email. My solution would be to have an ISP say:

If you want to run an email server, ask us first. Then when you ask they send you an email which says:

1) Thoroughly test your server before putting it on the internet and make sure it is not a relay.
2) Here is a list of third-party consultants you may want to keep on-hand for supporting your email server.
3) If we find your server is relaying spam, we will block all outbound port 25 requests until you get the problem solved. We reserve the right to test this frequently.

Re:The problem

[tacocat]

Actually, the more attention you pay to what your customers' customers are sending over your network, the more legally liable you might be held for anything that slips through. The phone company isn't held responsable if a bank robbery is planned over the phone only because they make no effort to control what is said. (In other words, because they are a common carrier).

Yes, but the phone company has a limit of 400 calls per month on a home account line with additional charges per call after that. It's a high limit and I've only once ever hit it. I don't even remember why.

But even they have a passive limit.

It might be more effective to simply block and monitor the subnets for viral activity more than anything else. Spammers run most of their spam through viral like proxies. These viruses are always banging on the network looking for more hosts, and that leaves a signature.

The ISPs could go a long ways by simply shutting down infected customers until they could get themselves cleaned up. And verify that with a 24 hour monitor of their network traffic to ensure it's not infected.

This doesn't deal with spam directly, but it deals with the most infectous vector of spam-bots.

Re:The problem

[tacocat]

Now where did I mention people legitimately and responsibly running mail servers? If your ISP says its fine, and you're making sure that you're not a relay, then I have no complaint. However, some residential customer that has had his computer turned into a zombie should not be permitted to blast the Internet with thousands of attacks an hour.

I told my ISP I was running a mail server from my residential account. The person I told was my ISP's pony tailed sys admin in the back room. His response, considering my use of physical firewalls, linux, and other mechanisms, was that he wished there were more people like me on the network.

Blanket statements about ISPs should do this to all their customers or do that to all their customers is not the correct solution. AOL has managed to block a lot of spam from their network without blasting their own customer base. And I don't think AOL's customer base is the most internet savvy group.

So, RTFA and ask yourself this: Considering the technical range of users AOL has, and his mention that blocking spam is not as resource intensive as one would think, why not ask yourself what they might have done to block spam so effectively?

They did it by rigidly enforcing rules of proper email handling, blocking dynamic IP addresses and other RBL lists (not too aggressively either). That's obvious from anyone trying to send email to AOL. They've implimented a lot of typical UCE controls that most other ISPs simply don't do.

If everyone had a perfectly configured email server, there wouldn't be as much of a problem as their is today.

Re:The problem

[instanto]

So customers with valid need and use of port 25, 110 or whatever should get it blocked and 'hand over control' to the ISP because the ISP is unable to act on abuse reports?

nice.. close down the good guys.. AND the bad guys [who will still find a way around it]..

Re:The problem

[RT+Alec]

From the article:

"Should anyone be allowed to operate an email system? Perhaps not."

Can I hear an Amen?

Re:The problem

Why not just aim the filters in the other direction?

Use an arrowpoint or other content-aware device on your network to redirect all outbound tcp/25 traffic to your company's mail relays, where it is then filtered against spam lists?

Re:The problem

[bakes]

So what you are saying is that I should not be allowed to host my own email servers. That is not an acceptable solution for my business.

Actually, I think he is OK with you hosting your own mail servers, it's just that he is suggesting that your mail server should be allowed ONLY to send email via the ISP mail servers as a relay. The ISP can then monitor who abuses the email and who doesn't, and can shut off access when required.

Since most home users use the ISP relays anyway, they won't care. Probably most businesses hosting their own servers wouldn't care either, as long as their mail still gets delivered. There might be some like yourself that might prefer to send email directly from their own servers and the ISP can make allowances in those cases.

Re:The problem

[Zphbeeblbrox]

I very much doubt you *need* an integrated PIM in your email client. You just like the convenience. You could work with an unintegrated one, you just don't want to. People who don't switch for that reason are saying the convenience of an integrated PIM outweighs the inconvenience of no real email filter.

Congratulations on using popfile. You found a great solution to outlooks inadequacies. The point of my post is that people aren't using good filters. And when they don't then they deserve what they get. The technology is out there to fix there problem.

Now I admit I should have been more generic when I said the was no excuse for using outlook anymore. My intent was that there was no excuse for not using the technology that is "freely" available for spam blocking. Popfile is one of those and so is thunderbird.

Re:The problem

[Zphbeeblbrox]

hrmmm... all bold that's what I get for not previewing. Sorry about that.

Re:The problem

[sjames]

Yes, but the phone company has a limit of 400 calls per month on a home account line with additional charges per call after that. It's a high limit and I've only once ever hit it. I don't even remember why.

I'll bet that limit isn't on business lines. I suspect the limit has a lot more to do with them wanting to keep people from running a business from cheaper residential service than anything else.

An ISP that provides colo services for business cannot insist that they not have their own mail server.

Monitoring for viral activity is nice and all, but it's not as easy as you think. Consider, average traffic from the facility is 500Mbps, one customer (who has a 256 Kbps connection) catches a virus so that their traffic goes from 196Kbps to 240Kbps. It's lost in the noise. The network traffic varies far more on a moment to moment basis out of pure randomness.

P2p apps and bittorrent traffic look somewhat virus like in their traffic pattern. Do you want to be cut off everytime you try to download the latest ISOs for your favorite distro? Please don't tell me to exempt those ports since if that becomes standard practice it will be a matter of days before every new zombie trojan switches to the same port numbers.

The only thing any of that will accomplish is forcing zombie spammers to infect a few million machines and have each one send one email per hour. Net result? The zombies fly under the radar and still 100's of millions of spams a day go out.

The facillity contains everything from a few free software developers who went in together on colo-ing a PIII to large commercial web servers.

Given that, and the fact that people report anything and everything as spam including replies to email they sent, email invoices they asked for, mailing list traffic they subscribed to (Note that murphy.debian.org was listed in spamhaus before) not to mention actual spams that actually came from Korea but (surprise) forged the From field. Finally, there's the malicious reports meant to harrass the accused or get them off the net. The false and mistaken reports outnumber real spam complaints by a fair margin.

Now add in that spammers NEVER announce their intentions when they sign up for an account ("Hi, this is Joe Blow, the infamous maga-spammer, I want to colo a spam server") and it becomes a real problem.

So, what's to be done? Block port 25 and watch all of your legitimate commercial customers leave (or sue for breech of contract). Sniff the traffic (and become Big Brother, get sued, offended customers leave), just do the best you can to deal with legitimate spam complaints (get blackholed anyway because you took longer than someone who has never managed a NOC before thinks it should take)

By comparison, taking care of spam on a network that is too large for people to ignore or blackhole and where most of the customers have never heard of telnet and wouldn't know how to set up even an open relay mail server is reletively easy. Just block port 25 and push the rest of your problems onto other networks.

Consider for a moment, YOU get reported as a spammer (probably a joe job). Would you prefer to be instantly cut-off or would you like for your ISP to be 'irresponsable' by forwarding the complaint to you and giving you 24 hours to respond?

I'm not saying people should just give up and run open relays, just that it's not like there's a simple and effective measure with no bad consequences that ISPs could use and for some reason don't. Insisting that such a magic bullet exists and punishing ISPs that don't implement this mysterious 'it' will only result in a damaged internet where you have a choice of 4 or 5 large unresponsive providers who won't let you do anything but browse the web. If that's what you want, sign up for AOL today!

Re:The problem

[secolactico]

Actually, you hit the nail in the head. I like the convenience. I did try for a few days using a combination of Thunderbird and Palm Desktop and i kept losing my "work rythm". Surely I could have adapted, but I'm really used to simply flagging a mail for followup by certain date. Or keeping a single contact list for my calendar/email/PDA.

If Mozilla calendar matures up to that point, I'll switch ASAP. Heck, it might even wean me off windows.

Re:The problem

[antoineL]

Well, it can even coming out of willingness.

My ISP was acting as a mail gateway. Four months ago, the mail server exploded because of too much spam (I receive >99% of spam). So they "promoted" me as the main MX.

Of course I had to learn quickly how to stop wild-relying (it was completely open before :-( ). Even then, I am unsure I can trust my config.

Since then, I am burning CD every other week with the logs, and I dedicate over 1 hour a day just to monitor what is happenning, installing memory and disk (my mail server also went off-road) etc. I am learning the hard way what means being a seasonned mail admin... and I am sure it is below the bar, and if some of my users got hit by some of Melissa's friends, well certainly it will add to the bad situation over there. Sorry, but that's life.

I am sure the ISP did not do half of this, because the fees I paid them will not cover it. Right now, their response is to sell me Just Another Box to "block spam". Of course it is not the solution, just a short-term kludge (but the decision to spend my budget on this or not is mine.) And do not tell me to choose another one, from what I see around it is all about the same.

On the long term, I share John's concern: we all should do something, or the whole SMTP system will disappear and be replaced by a paying system for the only benefit of You-Know-Who.

Re:The problem

[Stephen+Samuel]

The complaint is not about inbound spam -- it's about outbound spam, and the people doing it. It's about companies selling services to ROKSO list spammers and/or being slow to respond when it's clear that they've got a hard-core spammer on their hands.

The attitude of 'if I didn't do this someone else would' is part of the problem. If everybody stopped saying that, the spammers wouldn't have anywhere to go for web services and outbound pipes to either send the spam directly or control zombie spam boxes. If there were only a few sites willing to service spammers, they would be easy enough to block, and that would provide them with incentive enough to not do so.

Re:The problem

[tacocat]

Monitoring for viral activity is nice and all, but it's not as easy as you think. Consider, average traffic from the facility is 500Mbps, one customer (who has a 256 Kbps connection) catches a virus so that their traffic goes from 196Kbps to 240Kbps. It's lost in the noise. The network traffic varies far more on a moment to moment basis out of pure randomness.

You are looking for the wrong traffic signature.

Viruses are made to scan for other ports. So you watch the ports on a neighboring machine for Evil Bits from the colocated boxes. Think of a Canary in a Coal Mine.

Re:The problem

[mr.+methane]

Not sure I've seen a suit against a car maker for drunk driving, but I do remember at least one against GM for advertising the Corvette, and forcing a buyer to drive recklessly.. or so the suit claimed, anyway.

The best solution is to charge for email. A penny would be sufficient; even on the days when I work like a dog, I'd have a hard time spending more than 50 cents.

What to do with those pennies? Use them to set up and maintain a certification authority which verifies the sender of every email. We make the credit card companies pay for all the crap that fills our 3D mailboxes... why not make them pay for filling up the ones on my computer, which cost just as much to set up and maintain?

Mail lists would be an issue, but the solution there is to make better use of php-type forums.

Re:The problem

[sjames]

Viruses are made to scan for other ports. So you watch the ports on a neighboring machine for Evil Bits from the colocated boxes. Think of a Canary in a Coal Mine.

If only we could force virus writers to set the evil bit on outgoing packets.

Say a nearby machine probes my machine on port 1099. New p2p app, virus, random choice? Someone ran nmap for the hell of it? Wierd IRS humor? Yet another bit of babble from Windows?

The real killer for that is that many viruses hit port 80 or others that are perfectly normal, it's the payload that may or may not be normal.

Re:The problem

[Hognoxious]

nice.. close down the good guys.. AND the bad guys

This is exactly what my apology for an ISP, the cretinous bunch of imbeciles called "Belgacom Skynet" did. Actually, they've left PoP open but blocked SMTP. They also did this without any form of advance notification, so I looked pretty stupid having to send mail to my customers from my hotmail account. I have a separate account for most clients - sometimes on their own servers - and in some cases my mail wasn't getting through because they had only whitelisted my 'normal' address.

The only SMTP server permitted is Shytenets, but as mentioned I don't want to use them as my primary email because, well, they suck.

I have complained several times but only got one answer, and that was not satisfactory or even relevant. Sadly, they have a monopoly so I don't really have a choice.

Re:The problem

[Hognoxious]

However, some residential customer that has had his computer turned into a zombie should not be permitted to blast the Internet with thousands of attacks an hour.

This was Belgacom Skynet, my ISP's excuse, but I call bullshit. They have a traffic cap per month, so they're already monitoring data volumes, particularly if they monitor by port, which I'm sure is possible even for a bunch of 'tards like them. So, if I (or a spambot that's infected my machine) am sending squillions of emails, it should show on my upstream volumes. At that point, block *my* account from port 25, and FFS tell me about it! I might not know that I've been infected (I probably would, but some people certainly wouldn't). Punishing the innocent along with the guilty is taking the easy way out, lazy, and frankly, a typical Belgian 'compromise' solution.

BTW, most of the spam I recieve via Skynet actually comes from Belgacom themselves.

Dear every ISP in the world,

Dear every ISP in the world including the ones in your parent's basement,

Please rid your servers of spammers.

Sincerely,
The Internet

ps Yeah, right.

Re:Dear every ISP in the world,

[thoughtcr1mes]

Hmm, what kind of further motivation will these people require to lend a hand in fighting spam? Until they see why, they won't.

Re:Dear every ISP in the world,

Here is the reply, Dear AOL, Please Shut The F*CK UP. You can speak after you stop claiming that AOL is faster than 'regular internet' Sincerely, The Internet 2 ps, we will stop rooting your users if our demands are met.

Re:Dear every ISP in the world,

Deer f#llo AOL user,

Yuo forg0t too pr3vu, u fAgot.

Sinc3r3ly,
count3r_srtykemast3r883712@aol.com

ps r u loking for a clan?

Re:Dear every ISP in the world,

Dear Internet,

We have a crack team of experts working on the problem. As a result of having to hire people who actually know what they are doing, your monthly bill will double.

With Love,
Your ISP.

PS What did you expect when you paid $14.99 for dialup?

Re:Dear every ISP in the world,

[Stonehand]

Complete blacklist. By "complete", I don't mean merely blocking SMTP traffic; I mean complete. Mere complaints don't hurt them in the pocketbook, but cutting off their entire customer base and driving them away would. Drive one into bankruptcy if necessary. Sooner or later, the message would sink in and the accountants would decide it's economically preferable to act more reasonably.

More Law Suits

[XtremeGod]

So when will the law suits start coming out against the ISP's that Spammers are getting their Internet connections through?

Re:More Law Suits

[ahodgson]

Mmmm .. never. They bought themselves a CAN-SPAM act that accomplishes exactly that.

They actually are

These admins that set up these enterprise mail systems are quite smart. It just takes one bad [but intelligent] seed, however, to ruin it for everyone.

Not caring?

[ZiZ]

Or perhaps just 'getting paid extremely well to host spammers'?

Re:Not caring?

[Neil+Blender]

Don't forget 'not knowing'.

Re:Not caring?

Don't forget 'lying about not knowing'.

Convenient that!

Re:Not caring?

[geminidomino]

I stopped buying "We didn't know" a long time ago. Having a working abuse@ address for these issues is an RFC requirement.

If they don't know, it's because they don't want to.

Re:Not caring?

[amuro98]

That's the majority of the spam problem right there.

So long as people can make money from it, they'll keep doing it.

Many large ISPs *knowingly* have contracts with some of the largest, criminal spammers on the planet. Why? Because money talks. It's a miracle that SPEWS hasn't pitched an entire backbone provider into its list by now.

Granted, even if the US companies, by some miracle, decided to "do the right thing" instead of just looking out for their own bottom line, you'd still have the cesspool that is China, Korea, Brazil, Russia, and other places where "right" and "wrong" have no meaning, and the only laws that apply are the ones made by those holding money and/or the guns.

But as folks already know, it's a lot easier to just wholesale blackhole an entire country, than to try to pick through a stream of garbage for the few legitimate messages that may exist in it.

Re:Not caring?

[Antique+Geekmeister]

That happened some years ago with agis.net, and continues to this day with UUnet and its other top tier providers. They refuse to act against their customers that host spam, deliberately or inadvertently.

BBN used to have a very aggressive anti-spam policy, but it didn't survive the buyout.

Re:Not caring?

[dodobh]

IIRC, SPEWS does list UUnet in there.

Re:Not caring?

[amuro98]

I don't think SPEWS lists all of any backbone network - yet. Large chunks maybe, but not the whole thing. Not like listing 4.0.0.0/8.

He seems to miss..

..that nearly all spam emails nowadays aren't sent over open relays but over 0wn3ed i.e. trojaned PCs on high speed (cable, xDSL) connections.

Re:He seems to miss..

[CrankyFool]

No. He doesn't. There's a reason why responsible ISPs (there's that word again) don't allow normal l0ser users to connect to port 25 outside their network.

The days of "Oh, here's your static IP and full internet access" are bhind us. I'm all for "if you demonstrate clue, you may have unfiltered unbound access; otherwise, no port 25 for you!"

(also: Port 587 is your friend).

Re:He seems to miss..

[Everleet]

Guilty until proven innocent, eh? I don't think so.

Re:He seems to miss..

[pthomsen]

...nearly all spam emails nowadays aren't sent over open relays but over 0wn3ed i.e. trojaned PCs...

Really?

How do you know this? I'd love to see the stats that support this. I'm not trying to be facetious, I'd really like to get hard data like that.

I agree 100% with Carl. Forcing admins to get a clue about the state of their outbound mail is key. And as he says, there are ways to control all this stuff. Even trojaned PCs can be controlled, by limiting the number of outbound messages from that machine to something reasonably low (like 5/hour). If the machine goes over that, you have (most likely) found a trojaned machine.

Of course, there are going to be significant costs to this approach in the beginning, because of the (presumably) large number of pwned PCs in the world. However, the ongoing cost of keeping up with spam complaints, storage requirements, and bandwidth costs should exceed the price of handling a large load of complaints over a relatively short term (giving a quick ROI), which all PHBs (including myself) like to use to sell it to higher-ups.

Re:He seems to miss..

obviously you dont have a clue about the various protocol layers. or do you really want your isp to filter your access on this layer thus also being able to transparently filter your web access etc?

Re:He seems to miss..

[DraKKon]

the ISP I use, DSLExtreme, blocks port 25 for all DSL/Dailup users..

"By default we filter port 25 to only allow outbound email through our mail servers."

You can request to unblock port 25 if you have a static DSL account... an on top of that...

"In addition, we will periodically scan port 25 over your DSL line to make sure your mail server is not an open relay. If we find an open relay on your mail server, the port 25 filter will be reinstated and you will be notified by the contact email address entered above."

If more ISP's were like that.. there wouldn't be as many z0mbi3z...

Re:He seems to miss..

[suso]

Uh, that doesn't help much. A lot of the spam these days are coming from hacked computers on cable/dsl connections.

Re:He seems to miss..

Right, because it's not possible to setup SMTP on a port other than 25... right? /hmph

Re:He seems to miss..

[Russ+Nelson]

Carl is the antispam dude for AOL, and you're an Anonymous Coward. Carl understands that the problem is trojaned PCs. THAT is what he's talking about ISPs taking responsibility for.
-russ

Re:He seems to miss..

[dubl-u]

Guilty until proven innocent, eh? I don't think so.

There are many things where you need to prove that you're not completely clueless. A driver's license is a fine example of this. For driving a normal car, the license is relatively easy to get. To drive a big truck, it's harder. Want to fly a plane? Harder still. Innocence and guilt aren't the issue: competence is.

99% of DSL subscribers don't even know what having unblocked port 25 access means, let alone care about having it. For the small fraction of us who need the extra power and know how to use it, just asking for it seems a pretty small extra step.

Re:He seems to miss..

[Xtifr]

Uh, that's exactly what it helps with! Most of the people with hacked computers don't need to/want to run a mail server, so blocking port 25 connections will eliminate these zombie machines as sources of spam. For those few who actually want to run direct mail services, the ISP allows it (which is very nice), but they make you ask for it specially, and they monitor for open relays. Which is really (IMO) the only sensible way to deal with it.

All in all, one of the most clueful ISPs I've heard of.

Re:He seems to miss..

[Master+Bait]

I think that IPV6 and static addresses for everybody will go a long way toward stopping spam.

Re:He seems to miss..

[suso]

Ok, I'll let you read what the parent poster said:

"By default we filter port 25 to only allow outbound email through our mail servers."

This means that outgoing port 25 connections are still allowed. All a hacked computer needs to do is be connected to on another port (besides 25) and then send the mail through the DSL providers mail server. This is in effect what is happening.

You probably thought he meant the other way around, but any ISP that blocked outgoing port 25 certainly would be extreme, but somewhat understandable considering the state of the internet these days.

Re:He seems to miss..

[Mastoid]

Earthlink does this as well. I do not know if they allow outbound 25 exceptions, as I've never managed to speak to a clueful Earthlink tech. It took three tries to get actual confirmation that they block SMTP outbound.

Our sales guys use Earthlink for access from the home office and on the road. None of them have the patience or the inclination to learn how to switch the outgoing mail server in their Outlook settings, nor should they. This means I set them up to use Earthlink's authenticated relay at all times.

This would work great, except when their authenticated relay goes down, or is slow, or refuses attachments over a certain size, or...you know. You can also guess who gets the irritated phone call about it.

Re:He seems to miss..

[kesuki]

Nearly all spam that gets past baysian filtering maybe, open relays are still key, in fact botnets will actively probe for open relays, they're just another t00l in the spammers armada. it's just as easy for them to use an open relay as a botnet, and some spammers* might even feel that using an open relay is akin to using an open wifi access point, while creating a botnet is actual hacking...
*= remember there are a LOT of spmmers people sell kits on how to spam in newspapers etc --;

Re:He seems to miss..

[Pxtl]

Except two little problems:
1) never heard 'em say yes.
2) on places that allow port 25 (which is free from the start, not "with permission") you still have to deal with the RBL's bitchy little sister, the Dynamic IP Blackhole List.

Re:He seems to miss..

[sheddd]

"In addition, we will periodically scan port 25 over your DSL line to make sure your mail server is not an open relay. If we find an open relay on your mail server, the port 25 filter will be reinstated and you will be notified by the contact email address entered above."

If more ISP's were like that.. there wouldn't be as many z0mbi3z...

I think 'rooted boxes' are a bigger problem than open relays these days... Conditional port 25 outbound may be a good idea (though how much cost will it add?).

Most zombies are on random ports (i.e. zombified client makes outbound request for orders which come in on a non protected port).

I find >50% of the spam that makes it thru spambayes on my main account is from a residential ip block (comcast, etc.). But I'm using blackhole lists too. Since blackholing I'm not aware of losing anything, and my spam on one account has dropped from ~30k/month to ~3k/month. Using these:

list.dsbl.org
relays.ordb.org
sbl.spamhaus.org

Re:He seems to miss..

[smart_ass]

This can be very annoying. Like lots of /.ers out there, I have a work laptop. I have it configured to use my companies ASMTP so that when I travel I don't have to reconfigure everywhere I go. This didn't work at home with my previous provider when then decided to cut off external Port 25 access without warning and without a grandfather clause to get mine opened ... since it required a static DSL account.

Re:He seems to miss..

[Xtifr]

Hmm, yes, that is what I thought/think. "[O]nly allow outbound email through our mail servers" to me implies that port 25 outbound is blocked, past the DMZ where the mail servers reside. Which is, I believe, actually a fairly common setup these days.

But you're right, if they only block port 25 inbound (and I can see why you thought/think that), then it won't do a damn bit of good. I wonder what the real story is? :)

cheers

Re:He seems to miss..

Set up your mail server to use authed smtp over ssl on the proper port.

You can get through from anywhere not firewalled up tight
You can control email sizes
You can control sniffers on hostile networks (wifi, client sites, etc)
You can control number of retries
Etc etc etc

My cable provider blocked 25 and I did exactly that, works great.

Re:He seems to miss..

[frankie]

No, you're badly misreading that sentence. DSLExtreme's FAQ states exactly what Drakkon and Xtifr said:

Does DSLExtreme filter any ports?

A port 25 (outgoing mail) filter is applied to all customers to prevent against spam generated from our network. Customers who wish to have the filter removed in order to run a mail server may do so by registering at: https://secure.dslextreme.com/reg_server

By registering your mail server with DSL Extreme, you are agreeing to the terms and conditions listed at http://www.dslextreme.com/aup.htm . In addition, we will periodically scan port 25 over your DSL line to make sure your mail server is not an open relay. If we find an open relay on your mail server, the port 25 filter will be reinstated and you will be notified by the contact email address entered above.

DSLExtreme reserves the right to block any port without prior notice to protect the network and the end users from potential virus attacks spreading over a certain port.

One of the most enlightened commercial AUPs I've seen in a while.

Re:He seems to miss..

[dodobh]

The message submissing port to be used by end users is 587/tcp, not port 25/tcp.

Or just VPN to your office and be done with it.

Re:He seems to miss..

[dodobh]

Just pull down the CBL zonefile and count the number of listed IPs.

Re:He seems to miss..

[dubl-u]

on places that allow port 25 (which is free from the start, not "with permission") you still have to deal with the RBL's bitchy little sister, the Dynamic IP Blackhole List.

If you can't even get a permanent IP address, just relay mail through your ISP's mail server. I'm not interested in accepting email from somebody who thinks they're such a technical hot-shot that they must relay their own mail but can't be bothered running a proper mail server.

Re:He seems to miss..

[clickster]

The days of "Oh, here's your static IP and full internet access" are bhind us. I'm all for "if you demonstrate clue, you may have unfiltered unbound access; otherwise, no port 25 for you!" Sure, unless you use Cox for your internet access. In which case, it's "if you demonstrate a willingness to pay an extra $40/mo., you may have unfiltered access; otherwise, no port 25 for you!" I switched ISPs to SBC because they don't block port 25. I want to run my own mail server with no restrictions on files size, storage space, etc. I don't send that many e-mails. It's just for personal mail for myself and my family. I would have stayed with Cox if they had a reasonable way for me to get unfiltered port 25 access. I wish they had an opt-in system. They started blocking port 25 to keep spam zombies from getting their mail out. But what about those who want legitimate access? I wouldn't mind signing a well-worded (important) agreement not to spam. Hell, I wouldn't even mind if they put some sort of realistic cap on port 25 traffic (and before some wiseass says "you mean like 0" - no I don't). I pay for my bandwidth damnit. Now let me use it. So I now use SBC DSL. Not quite the same speed, but it's mine - all mine! BWAHAHAHAHA!!!!!

Re:He seems to miss..

How long until those are blocked as well?

Re:He seems to miss..

That will work until your providers block those ports as well as the VPN and SSH ones.

Re:He seems to miss..

[dodobh]

587/TCP requires SMTP AUTH, and optionally TLS.
I doubt that 587/TCP is likely to be blocked at all, since even weak passwords can be protected by SSL.

Blacklisting them publically.

[strredwolf]

For every listing backed by proof, post a large ad in the New York Times saying "THIS ISP SUPPORTS SPAMMERS" with the proof behind it. Enforce the PR leverage.

Re:Blacklisting them publically.

[sexistentialist]

I don't think that the average individual cares that ISP XYZ hosts spammers. If you were to take out an ad that told me the top 50 ISPs in Korea that supported spamming, not only would I not care, but Koreans wouldn't see your ad. Who should fund the advertisements?

Re:Blacklisting them publically.

[IO+ERROR]

For every listing backed by proof, post a large ad in the New York Times saying "THIS ISP SUPPORTS SPAMMERS" with the proof behind it. Enforce the PR leverage.

I'll kick money into this project. Is there a PayPal page up yet? Has anyone even made a project out of it yet?

Re:Blacklisting them publically.

[Lew+Payne]

How poorly thought out. If you stop to think about it, spammers are the ones
who will pay dearly (eg: $1000/mo+) for "bullet proof" hosting. Advertise the
fact that a certain ISP is spammer-friendly, and you're effectively bringing that
ISP customers willing to pay handsomely for hosting.

What's interesting here is that it takes many, many $9.95/mo accounts (your
typical cut-rate hosting charge) to equal one $1000/mo bullet-proof spammer
hosting account.

Re:Blacklisting them publically.

[Technician]

For every listing backed by proof, post a large ad in the New York Times saying "THIS ISP SUPPORTS SPAMMERS"

I don't have that kind of money. I don't think Microsoft does either. My recycle bin only holds a couple cubic feet of stuff, so getting rid of the enclopedia size paper would also be a problem.

a touch of psychology, a brickbat of capitalism

[ChipMonk]

What do we have to do to persuade networks...?

How about putting them on an RBL? When their customers can't send emails, and threaten lawsuits for breach of contract, the ISP operators tend to start paying attention.

Re:a touch of psychology, a brickbat of capitalism

[sqlrob]

I agree with that, but not an RBL for mail. That's being used now by many ISPs, including AOL with little to no effect.

Drop their packets. ALL OF THEM. Have the border router use the list, not the mail server.

And before someone yells "collateral damage", I've been on the receiving end of that before (I'm on RoadRunner), so I know damn well the issues.

Re:a touch of psychology, a brickbat of capitalism

[sexistentialist]

The problem with _this_ solution is with the validation of the complaints. Some people complain because they get emails from companies that they purchased items from after checking or not unchecking the "please keep me informed" box on the order form. User stupidity doesn't warrant blacklisting an entire ISP's network.

In my tenure as a network administrator at various locations I've seen the full scope of offenses, from those which are blatant violations of the AUP to those which are users complaining about emails they requested. I've seen one offender result in the blacklisting of an entire /19 netblock, and then I watched the RBL admins ignore all requests to have the block removed from the RBL.

RBLs with no oversight provide no real value to their subscribers. Again, it comes back to the issue of validation - who validates the complaints, and then who validates that the behavior of the ISP has changed, or that they've removed the offending party? This is no more than vigilantism, and the argument is that the RBL isn't doing anything other than providng something that their users have asked for.

In the same line as users being stupid and admins implementing mail systems with no real security, many people will subscribe to an RBL because they think it will solve a problem, failing to understand the ramifications and negative repurcussions associated with its use.

If the system generates a single false positive, then the system itself has failed.

Re:a touch of psychology, a brickbat of capitalism

[gregmac]

How about putting them on an RBL? When their customers can't send emails, and threaten lawsuits for breach of contract, the ISP operators tend to start paying attention.

That works both ways. How about when a customer/employee compains they can't receive any email from some user @domain.com? What happens when it's an extremely important client and they're getting messages "sorry, your address has been rejected from sending mail to this system"? When you're talking about money vs network politics, guess which one is going to win the majority of the time?

Re:a touch of psychology, a brickbat of capitalism

[World_Leader]

Oh well, too bad, they get what they pay for (i.e., zero), where they are the commercial bulk mailers who think they have some sort of "business relationship" with the recipient. Would a previous business relationship entitle them to free stamps or free phone service for telemarketing, etc? I don't think so.

Advertising tends to work in all other media because people know they're getting paid for it. The printers, the advertising agencies, the postal system, and so on.

With spam and other commercial e-mail the only very weak claim is that the end-user is "paying" for it. Which is like saying you pay for telemarketing because you pay for your phone.

At any rate, if some so-called legitimate advertisers wants me, the ISP, to keep things straight as to who are the crooks and who are the good guys then I have to be paid for that ever-growing effort.

Otherwise all I can say is, as far as my effort is concerned, they are getting all that they paid for and more!

www.TheWorld.com

Re:a touch of psychology, a brickbat of capitalism

What happens when it's an extremely important client and they're getting messages "sorry, your address has been rejected from sending mail to this system"?

Then the "important client" should ge tpissed off atthe spammers that are causign the problem to begin with.

If they don't 'get' that, then they can move to another ISP. Which, IMHO, will be more than compensated for by all the people switching TO your ISP BECAUSE of the lack of spam.

Re:a touch of psychology, a brickbat of capitalism

[ChipMonk]

What happens when it's an extremely important client and they're getting messages "sorry, your address has been rejected from sending mail to this system"?

You can bet that any client or potential client will take note if you complain to them about spam coming from their mail server. If they refuse to take action, making a case for "breach of contract" won't be too difficult.

Besides, if they're really that clueless, how bad do you want to do business with them? Do you really want someone that hazardous to others' ISP health on your customer list?

Re:a touch of psychology, a brickbat of capitalism

[Stonehand]

Ding.

Dropping ALL packets will mean such things as

(a) Complete e-commerce shutdown. No connections, no customers, no revenue. Businesses would either pressure the ISP to comply or split if they couldn't break the blacklist.

(b) Other customers pissed off that they can't hit their favorite URLs etc. Again, mass subscriber loss.

One thing that ISPs do understand is bankruptcy. A Korean ISP may shred your complaints and cease-and-desist letters, but losing all their customers is another matter. Violate once, get blacklisted for a while; continue being antisocial, and the blacklist should be permanent until elimination of present management.

Re:a touch of psychology, a brickbat of capitalism

[Antique+Geekmeister]

Wrong. The client may not have enough control over their systems, or their upstream net block, to redirect things to get past your blocks. They're a legitimate emailer, and you've ignored their legitimate contacts. Not opening the bill does not mean you don't owe the money, and when your electricity gets turned off for not paying the bill, you're the one who goes out of business. Similarly, blanket blocking legit email from them this way will cause your customer, or your vendor, to react: they will drop you as a customer, and depending on the circumstances, they may sue you and win.

Re:a touch of psychology, a brickbat of capitalism

[ChipMonk]

The client may not have enough control over their systems

Wrong. Even if your hosting is completely contracted out, you can still put pressure on them to shape up or lose your business. And what good business would give up that much control of their email?

Not opening the bill does not mean you don't owe the money, and when your electricity gets turned off for not paying the bill, you're the one who goes out of business.

You're confusing what I said. I said nothing about you being the client.

Re:a touch of psychology, a brickbat of capitalism

[Antique+Geekmeister]

Wrong. There's not enough money, or time, for most folks to play the shopping game for services like this. And the client, or vendor, is the one who sent you the email that you or your ISP just bounced unannounced. And you, or your company, will take the fiscal and social hit for ignoring these emails.

Re:a touch of psychology, a brickbat of capitalism

[ChipMonk]

There's not enough money, or time, for most folks to play the shopping game for services like this.

If you have put your business into a position where this is true, then I have no sympathy for you. The name of the game is bargaining/negotiating power, and losing it because of your ISP's intransigence is your own fault.

Take it into another realm: transportation. If the driver's window in your car periodically opened and closed for no apparent reason, you would take it back to the dealer and demand either a repair or a refund. You would not throw up your hands and say, "I just don't have the time or money, so I guess I'll put up with it."

Likewise, if your ISP's negligence resulted in an open gateway for spam, and it sent your client (or vendor, doesn't matter) a bunch of UCE or worse, to the detriment of your corporate relations, you have every right to demand a fix or take your business elsewhere. It's that simple.

Drop the ISPs connection

Fairly forward and would elicit an immediate response. Too bad everyone who makes this call is a panzy.

Block port 25 outbound?

[redelm]

Throttle users mail through a SMTP server? Why take advice from AOHell? They're "The Internet on Training Wheels" (TM).

Re:Block port 25 outbound?

[CrankyFool]

Why take advice from AOL?

Because their userbase is:
A) Enormous; and
B) Very, very stupid.

What does this mean?

Look, my ISP -- whose co-owners I've got on speed-dial, and is incredibly clueful -- doesn't have a user spam problem, because pretty much only geeks use them (we pay a bunch extra for the privilege, too). AOL, on the other hand, has the saddest, most pathetic users in the world -- people who are the prime target for PC-p0wning software. Add to that the fact AOL is, like, pretty much the easiest ISP to sign up for. In other words, they're the biggest, fattest, juiciest spam target out there.

And yet, having looked at the 23,507 spam messages I've gotten over the last 303 days, do you know how many came from AOL?

Zero.

I know Carl (not personally, but I'm on some mailing lists with him). He's pretty damn smart. He has to be. Same thing about the rest of the anti-abuse folks at AOL. They're smart, and they're dedicated, and they're very, very, very good.

Re:Block port 25 outbound?

> Why take advice from AOHell?

When was the last time you got spam from AOL users? You have Carl to thank.

Scoffing at AOL's network infrastructure because you don't like their marketing and user interface betrays a total and willful lack of understanding. It's ignorance, stupidity, and smug righteousness all in one -- all these asinine qualities that most geeks pretend to despise. AOL handles more mail in a second than you will ever see in your lifetime.

Re:Block port 25 outbound?

[redelm]

Smart? And trust spam filters? He must be ignoring his false-postives. Or those who just give up. I don't try to mail AOL users. It's just not worth the bother since the mail fails unpredicatably 2x more than anyone else.

Re:Block port 25 outbound?

[redelm]

Touched a nerve, did I?

AOL's marketing and UI are fine for their customer base. But extremely limited and really only suitable for beginners. Like MS-Win*.

I fear an expansion of their 80/20 mentality will shut the 'net down for the minority. And with it, much of what has made the 'net interesting. Freedom matters, and there's a price to be paid in disorderliness.

Re:Block port 25 outbound?

And yet, having looked at the 2,000 BOUNCE messages I've gotten over the last 30 days, do you know how many came from AOL?

Approximately 400.

Oh yeah, the bounces come because a SPAMMER is using my spoofed email addresses in my domain.

AOL bounces SPAM from back to SPOOFED "From:" email addresses.

Re:Block port 25 outbound?

[Rizz]

Sounds like you need to get a better ISP if you have to keep any of their numbers on speed dial. 8P

Re:Block port 25 outbound?

[VB]

When was the last time you got spam from AOL users? You have Carl to thank.

Where the hell was Carl from 1995 - 2000 when AOL was developing it's mighty subscriber base along with it's unindoctrinated users who were one of the main sources of spam to begin with?

Now, the biggest ISP can dictate if my users can send their users e-mail? This is because the owner of my block didn't set up reverses for it's range and won't do so any time soon.

At a minimum, they should respond to removal requests from responsible administrators. They currently do not respond to any administrators; they just automate the black-listing of ip addresses and turn way when someone inquires about it. This is irresponsible internet behavior (the Internet was created by scientists and educators for free for all to use, not just for AOL/Time Warner to usurp it exclusively for their profit).

For Carl to entertain for 1 second that advocating a solution at the ISP level to block outgoing mail is single cell thinking behavior. Spam originates from untended / unmanaged machines. There is no one watching or paying attention who can take responsible action. And, who in hell is policing the addresses ranges of Asia?

AOL is an example of the bully in the playground who started the fight, then called the police to narc on the kid who threw the first self-defense swing. Thank Carl for what?!

Re:Block port 25 outbound?

I must agree, there is no noticable spam fom AOL. However, AOL has THE most idiotic, convuluted, bass-ackwards, methods of UCE reporting to other ISP's.

They periodically send a spam "report" to ISP's telling of a certian threshold the ISP has reached on their spam radar. But there is no way what so ever of finding headers of spam originating from an ISP's network from this "report".

That and the abuse "report" is not always sent to the Whois lookup abuse contact for the IP range in question (which would lead anyone to believe they do not perform proper reverse lookups to begin with).

The ISP I work for shuts down ALL users who show up in a ~legitimate~ spam/abuse complaint, a ticket is filed so we can track repeat violators, the TSS staff contacts the user and walks them through cleaning their systems before they are let back on the network.

Come on AOL, if you are serious about spam, then play the game like every knowledgable ISP does. File a PROPER abuse complaint with the Whois listed abuse or tech address for the IP block, send the complete headers with the abuse complaint. Don't give us this " if the rest of the ISP's.." crap.

Throw me a bone AOL, and I'll shut a zombied machine down within 5 minutes of recieving your email.

Re:Block port 25 outbound?

[InsaneGeek]

So your owner didn't setup the reverse entries that they are supposed to do, and you are mad at AOL because they and half of the rest implemented the same rules. Spam does originate from untended/unmanaged machines that's why they block everybody from sending out mail directly and only their providers servers (which the ISP can monitor). If it's only allowed to come out of their servers, the ISP *can* take responsible action. If your provider won't fix the problem at your end (not having reverse addresses) why would you expect AOL to make an individual exception for yours and the million+ others. You could probably have a staff 20+ people and all that they'd do all day would be to just type in sites like yours who are incorrectly configured into access lists.

Re:Block port 25 outbound?

That is assuming you can access your network due to the volume of "proper" abuse complaints you are recieving. You only *think* you can handle getting an abuse complaint for every spam sent to AOL. Whine enough, and AOL will give you the feed you are asking for, just be prepared to go crawling back and beg for the summary.

Re:Block port 25 outbound?

[t-minchin]

Odd that you don't get any spam from AOL Over the last four weeks we have received over 16,000 spam emails from AOL - mostly from the sub-domain ipt.aol.com Obviously that port 25 block isn't water tight...

Re:Block port 25 outbound?

[miley]

So you are complaining about receiving mail that you asked for? Your company contacted AOL to set this up. Go check out your settings at http://postmaster.aol.com/fbl/fblcheck.html If you *really* want your complaints set to abuse@, then configure it that way. By the way, AOL sends us the full headers (minus To: and From:). We have yet to find a mail that did not originate from our network, though there are certainly invalid complaints.

Re:Block port 25 outbound?

[snarlydwarf]

Jan 25 10:39:32 bombur postfix/smtpd[28000]: D471729EC6D: reject: RCPT from ACB1E8B1.ipt.aol.com[172.177.232.177]: 550 : Client host rejected: AOL refuses mail from dialups, so do we. (global-bad-clients); from= to= proto=ESMTP helo=

That would be, what, 4 minutes ago?

I have THOUSANDS of those a day.

Who do I have to thank for this, since my mail and calls to AOL for the past several months include denials that their customers can spam at all and an eventual admission that their own firewalls don't work but they're "working on it".

Creds

[Transdimentia]

For as much as AOL stunk way back where this was concerned you have to give them props for mostly wrangling in their millions of lusers. I with some other cable and dsl providers would take this charge.

AOL r t3h 4nt1-sp4|\/| d00dz!!11oneone

[irokie]

reads a little bit like an AOL is great, look at our 1337 Anti-Sp4m sk1llz sort of thing to me and not so much like a letter...

How about "accountability"

[digitalgimpus]

Accountability is the only thing that will stop spam:

- don't want your mail servers to be blocked? Secure them so spammers can't use them.

- don't want to be considered a "spamvertising company"? choose a legitimate ad agency.

IMHO a multi-level effort is needed:

- ISP's need to have a blacklist of customers who are known spammers. They need to share info.

- Consumers need to have a website where they can check the legitimacy of a website, and see if it spams to advertise.

- Registrar's need to stop issuing a bazillion domains to known spammers. When a dozen of a person's domains are referred to as spam sites... no more registration. Share data among registrars.

The problem now is that there are no consequences for spamming. An extremely low chance of a lawsuit or jail. Extremely low.

Spam is cheap, and apparantly somewhat effective.

Until you make it not worth the time... people will do it.

Nobody holds the companies who advertise in spam responsible. Nobody holds ISP's who turn a blind eye to it responsible.

Re:How about "accountability"

[sfjoe]

- ISP's need to have a blacklist of customers who are known spammers. They need to share info.


That's like putting up a sign saying, "please sue me for libel". It would also probably put you afoul of anti-trust laws.

Re:How about "accountability"

... Accountability blah blah ... -- Help me get a mini mac! [freeminimacs.com]

What?

Re:How about "accountability"

[Rizz]

Domain registration companies will never blacklist spammers -- that's how they make their money. Everyone knows selling domains leads to a big fat wallet at the end of the day, why would they want to reduce their profit forecast for some lowsy spam? ..and to those that see signatures: Go disable them. There's never anything useful anyway.

Re:How about "accountability"

[Ohreally_factor]

I find it ironic that you're offering your opinion on how to fix the spam problem at the same time as you're spamming us with the "free mini" link in your sig.

Sigh

[Anonymous+Crowhead]

Longing for the good old days of when you got spam you fired off an email to postmaster, abuse and operator....

Re:Sigh

I am longing for the even older days when there WAS NO SPAM!

Re:Sigh

That can still work. The problem is that the clueful admins who monitor those accounts are the same ones who don't tolerate spam on their networks. So perhaps it follows that for networks from which you'll get a response to messages sent to the postmaster or abuse accounts, it's unlikely that you'll need to send a message in the first place.

Sigh.

The problem is

[tabkey12]

with 2 things: Disreputable ISPs who are willing to sell bandwidth for 'evil' purposes at a premium (e.g. spam) Everyone's favourite Zombie botnets, which cannot easily be stopped at the ISP level (lots of low level activity). To fix that problem, get people to patch their Windows systems with the latest 'hotfix' for all their software problems!

Re:The problem is

[MightyMartian]

If it was just disreputable ISPs, they'd be out of business in a year. Since ISPs generally have a permanent (or at least semipermanent) lock on an IP block, they'll enter the RBL and tarpits soon enough and disappear for good. I wish that that was the only way the enemy operated.

Clue in to human nature

[Ryan+C.]

Wonderful solultion. So if people would just stop crashing cars we could get rid of all the safety features. If nations could just get along we could save billions in military spending.

The current email system does not take into account human nature and is therefore broken beyond all hope of an easy solution. It needs to be replaced with a system designed from the ground up with accountability in mind. Period.

Re:Clue in to human nature

Oh please, comparing spam to those issues is just plain retarded. Why don't you come right out with your World Peace comparison instead of just half assing the comment down to a military spending issue. Oh I know why, because you would appear even MORE retarded. Sorry for the names but trying to use the excuse that it's the email systems fault speaks volumes to your knowledge of the topic...so....STFU and let the parents get back to work.

Re:Clue in to human nature

[pthomsen]

Wonderful solultion. So if people would just stop crashing cars we could get rid of all the safety features. If nations could just get along we could save billions in military spending.

RTFA! While Carl seems to rip on most established techniques for stopping spam, that's only because they don't work very well. If they did, why would huge masses of people still be complaining about loads of spam in their inboxes? He also does say that many of the techniques should still be used, but that they won't solve the problem. Quoth: They are a band-aid...

Re:Clue in to human nature

[emjoi_gently]

I thought his message was simple and sensible.
ISPs should take a little bit of responsibility for what comes out of their network.

I would love my ISP to send me alerts when I am using unusual ports at unusual volumes. Warn us users that something is wrong on our PCs. I do agree that many old TCP/IP protocols, like email and FTP, were designed for a time when the net was a peaceful, academic place. And they need updating.

Re:Clue in to human nature

[bcrowell]

The current email system does not take into account human nature and is therefore broken beyond all hope of an easy solution. It needs to be replaced with a system designed from the ground up with accountability in mind.
It's amazing how much time is being spent by large numbers of smart people, trying to put band-aids on the system. I don't even believe it's hard to design a better system -- people are just scared to do it. Here, for example, is an outline I wrote for a system that would reduce spam to a low-level nuisance. It doesn't have any new ideas in it, just ones that have been bouncing around for a long time. All we need is the courage to say that the old system can't be fixed, throw it in the trash, and apply the lessons we've learned.

The most pathetic thing of all is the check-the-box form that people keep posting on Slashdot purporting to show that a particular method of ending spam won't work. It's become a substitute for intelligent discussion. People just check the boxes, and don't bother to justify which ones they checked. So to save everyone time in the future, here is a perl script that fills in the form automatically:

#!/usr/bin/perl

print "Your post advocates a\n\n";
$n=4;
$approach = int(rand($n));
@approaches = ('technical','legislative','market-based','vigilan te');
for ($i=0; $i<$n; $i++) {
if ($i==$approach) {print "(*)"} else {print "( )"}
print " $approaches[$i] ";
}

$form = <<'FORM';

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money

( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censore

Messenger spam

[sn0wflake]

Why doesn't mail work like MSN, ICQ, etc? I've never received a single piece of spam that way :|

Re:Messenger spam

[Neil+Blender]

Why doesn't mail work like MSN, ICQ, etc? I've never received a single piece of spam that way :|

What? ICQ spam irrated me right off of ICQ forever more than 6 years ago.

Re:Messenger spam

[tabkey12]

because you don't want to whitelist everyone who can email you. Really (and if you do, then there are solutions to do this)

responsibility and the expectation thereof

[The+Kow]

It's interesting that people both complain that ISPs are too lax in what they let their users do, but when big companies come along with usage policies that restrict their customers' ability to set up things like their own mail server (read: open relay ahoy!), we gripe and start wondering if there should be a YRO post about it.

I worked support at Speakeasy Networks for a little while. Speakeasy is well-reputed for letting users do whatever they want with their connection (sans the obviously illegal/unsavory) and you would not believe how many people set up email servers and then leave relays wide open for anyone to utilize. Then they would get mad at Speakeasy for shutting them down until the relay was closed.

Port 25

[mboverload]

I just hope they dont block port 25. I run my own SMTP server for privacy (I'm sure ISPs keeps logs, even if they are unaware their programs do) and control. I would be ok for the default blocking of port 25, but if I was allowed to call in and have the block removed that would be fine.

That solves the problem of bot nets (only 100 people are going to run their own SMTP on a regular size ISP and they are too smart to get a bot program anyway). However, to keep the spammers at bay a "limit" on the number of mails going through that port would be enforced. 100 or so would be fine, and special exceptions for people who really need it (at home mailing lists).

I completely agree with the article, this is the ISP's problem, and anyone so stupid to not monitor for spam activities should not be an ISP anyway. Hell, I run a mini-ISP (remote location, not at home where this would apply) and I bet I do better than the all-powerful Comcast at this spam stuff.

Re:Port 25

While I agree with you 100% I think the size of the ISP makes a difference as to how fast one can fix these issues. I'm sure it is PLENTY easier for you at your mini ISP then comcast with how many subscribers? Still, they should have to do the same thing you are which is securing their network....if more ISPs treated it as a security violation and not just a nuisance we'd (cic) all be better off

AOL's spam policy is unreasonable

[ables]

On the surface, AOL looks like the good guys here. However, their draconian spam policy can be as harmful as the span it's trying to prevent.

Here's how it works: AOL receives N complaints calling something spam after users click on the "mark this as spam" button. So AOL looks at the previous link in the received-from chain and blocks that entire network.

Sounds good right? Wrong.

Say Joe User works at my company part-time from home. Instead of another pop account, he has a forwarding address with our company that forwards to his AOL account. Joe gets spam, and reports it to AOL. AOL looks to see who sent it, sees my company in the "received-from" chain, and blocks not only us, but every other company hosted with our ISP. Thousands of legitimate emails now can't get to AOL addresses.

It gets worse. Many people use the "spam" button like the "delete" key to get rid of stuff they just don't want right now. AOL doesn't educate its users to realize that reporting something as spam has real consequences, and so people mark real email they requested as spam just because it's easier than deleting around it.

Our fabulous domain host FutureQuest has had to ban forwarding to AOL addresses as a result. AOL has been completely unreasonable in accepting any responsibility for intelligent spam blocking, and their users and legitimate businesses are suffering.

At least they're trying, but they're far from the good guys here.

Re:AOL's spam policy is unreasonable

[toddlg]

Same exact thing happened to me. One of my web site customers had mail forwarded from their domain/business to their AOL account. Well, they just clicked away on the "spam" button and AOL almost banned the whole server and dozens of other sites. My hosting provider was kind enough to step in and let me know before that happened, but it was lame anyway...

Re:AOL's spam policy is unreasonable

[ghideon]

When we switched data providers during an office move, we got a new netblock from our new ISP. Turns out our netblock was being blacklisted by AOL. Imagine my chagrin when my Sales people are trying to get a deal signed for our product and they can't get email into AOL after the office move. They did, however, have a nice section on their policies and what not. The non-standard error messages they threw back at the emails weren't as fun however. You shouldn't need a website devoted to explaining how to send email to your domain. That's what standards are for...

Re:AOL's spam policy is unreasonable

[sjames]

Our fabulous domain host FutureQuest has had to ban forwarding to AOL addresses as a result. AOL has been completely unreasonable in accepting any responsibility for intelligent spam blocking, and their users and legitimate businesses are suffering.

I used to run a virtual webhosting server and had to do the same thing. Customers would have mail to person@legitimatebusiness.com forwarded to same_person@aol.com. Naturally, they would get spam to their business mailbox which would be dutifully forwarded to their aol account. Next thing I know, AOL thinks I'm a spammer.

AOL's techniques don't scale down to smaller ISPs very well. If a small ISP tried that, they would find their problem 'solved' when postmasters everywhere collectively shrug and firewall them into oblivion.

Re:AOL's spam policy is unreasonable

[jmkrtyuio]

Three things to handle this problem...

1 - Good neighbor policy

Prevention:

"All email that gets forwarded out gets full draconian spam protection or stays local"

2 - Precision targetting

Prevention:

ISP's maintain comprehensive whitelists of proven responsible reliable and clean mailhosts...blacklisting based on spam reports nails the spammer BEHIND the whitelisted server.

ISP's who repeatedly generate high ratio spam lose whitelisted status. Deservedly so.

3 - Appeals Process

Mitigation:

ISP maintain an effective and quick mechanism for appeals to be received handled and investigated

If you do none of the above you are absolutely correct. AOL is out to get you! After-all, YOU are the ISP TFA is describing.

Re:AOL's spam policy is unreasonable

This is indeed a serious problem, and is quite common for website hosts.

A huge chunk of the AOL TOS complaints I have to process involve mail forwarded from sites hosted on my network.

AOL complaints generally get ignored, but if I get them by the score, I know that there is either an open server on my network, or someone checked their AOL mail for the first time in some weeks.

My solution so far has been to educate our customers who forward to AOL, often to the point of threatening to cancel their hosting.

Re:AOL's spam policy is unreasonable

[miley]

this is why people are working on DomainKeys

How the presentation will go

[SamMichaels]

You: "What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost---"

Boss: "Thanks for your concern."

Try #2...the CTO...

You: "What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost---"

Director: "Cost? My hands are tied...shareholders are disappointed and the board needs convincing anyway."

Try #3...the board...

You: "What do we have to do to persuade networks that dealing with their own spam problem, even at significant short term cost---"

Board: "What is this 'spam' nonsense you're talking about? You know, when I was your age we never had all these technology woes. I don't see how this will benefit anybody. Next on the agenda....."

Re:How the presentation will go

[dodobh]

You: "I have a scheme to save the company 10% of its bandwidth costs and increase your bonus by 15% for innovative cost cutting measures, but that will cause a slight pressure on the balance sheet for the next quarter."

Put this in the first quarter of the year, and you should be able squeeze it through

Only Part of the Problem

[MightyMartian]

Misconfigured mail servers are only a part of the problem, and a diminishing one at that. A huge amount of the spam we now see is generated by zombies, and the only way I know to stop that is block all consumer port 25 traffic heading outside the network. The ISP I work for had to do this a couple of months ago, even though it created problems for some customers who send email via outside SMTP servers. Worse, SPF-enabled scanners will flag a problem for these customers if they send the mail through our mail server. The only solution is to use port 587 which was originally designated for non-MTA mail traffic. Couple it with SMTP auth to block open relay attacks, this is the only clean way to solve the problem. While I agree that anybody running misconfigured or older servers should clean up their act, if networks don't start cutting off non-MTA SMTP traffic being sent out of their networks, the problem will remain. If this is done, then even if Linux and Mac boxes become big targets for virus writers in the future, at least attacks will be contained within networks.

Caution

Lets be careful about what ISPs have a "responsibility to fight". Today its spam, tomorrow it could be "terrorism" (read: your privacy).

Spam is annoying for those who get any but it doesn't justify the hysteria, IMHO.

Many ISPs just don't/won't care.

[mjensen]

Tell him to start with the big email ISPs (including Hotmail, Yahoo, ....)
Getting accounts is sometimes too easy, and becomes a game of whack-a-mole with 3 million holes and one hammer.

Checking for valid email addresses and routes has been brought up many times. ISPs (sometimes justifyably) don't want to implement the changes necessary to stop spam.

Sorry to whine here, but if big ISPs haven't changed yet, why should small ones.

Re:Many ISPs just don't/won't care.

[kerrle]

Actually, sometimes small ones are the ones that do it right. Certainly, the one I work for does.

Think about it - small ISPs have to fight for their customers any way they can - any way that they can add value to the service, they will.

We are very good about preventing spam from ever coming from our network, and we provide very extensive spam reporting and blocking services for our customers - because if we don't, they'll go somewhere else.

Re:Many ISPs just don't/won't care.

[quarkscat]

Amen to that!

I had a long association with a small regional
ISP called "EROLS" that provided great service.
At first, after they were gobbled up by a larger
ISP, there was no discernable difference in the
quality of the services they offered.

Then there was a surge of new subscribers,
and it quickly became apparent that they had
done little to improve their bandwidth -- busy
signals, slow connections, unexplained hang-ups
all pointed to severe over-subscription.

When the spammers began their flood of crap
in ernest, the ISP's response was not to filter
out the spam or block ranges of IP addresses.
Instead, they changed their ToS to limit connect
times and hours per month for their loyal
customers. Needless to say, I left this ISP,
but AFAIK, they still have done nothing to keep
the spammers in check.

BTW: This ISP is pretty large, having coverage
in all of New England and the Mid-Atlantic
states.

Another (national) ISP that I subsequently tried
had the annoying habit of dropping connections.
Their CS department will verbally acknowledge
that they have modified their posted ToS, but
will never provide hardcopy or email in that
regard. They advertise heavily, and are IMHO
grossly over-subscribed. While they did offer
some control over spammers, email messages were
frequently delayed by 8 to 24 hours. Copper
will even drop annual subscribers that exceed
their monthly usage limits more than once --
a policy that they do not post anywhere.

Until such time that the "Baby Bells" upgrade
their infrastructure to provide decent DSL
service, many USA internet users are stuck with
dial-up ISPs that abuse their subscribers.

He's right

[portwojc]

He's right and it's not anything new. Anyone with half a brain knows that the real problem lies in enforcement of the policies. Not just haing the policies. You just have to want to do it.

Of course they can only start saying this now since they fixed their spam problem.

The pot has been sand blasted from black to silver. What's the kettle going to do now?

Spam from home users?

[trawg]

Does anyone have any figures that detail how much spam come from zombie home user PCs? I thought the amount was significant, but the quote in this post seems to imply that the vast majority of it comes from less scrupulous service providers.

(aside: we host a few websites, one of which we discovered was running an exploitable version of PHPNuke - but not before a spammer did and pumped ~20,000 emails into our queue. I noticed it pretty quickly and deleted them and blocked this webmail software across all these sites lest it happen again - but it was an interesting demonstration to me that spammers look for any and every leverage they can get. I keep a much closer eye on our mail queue statistics now!)

Re:Spam from home users?

[sqlrob]

The number I last saw was 80+%.

I've seen known compromised machines spewing for over a month after abuse@ was notified, so it's still an ISP issue.

Re:Spam from home users?

[nacturation]

Isn't the fix for this quite easy? Identify the machines which are connecting out over port 25 to more than X separate IP addresses per unit time. Maybe it's a power-user running his/her own mail server. More than likely, it's a trojaned PC spewing out spam. So block off port 25 access to anything but the ISP's mail server until the user either cleans up their system or demonstrates that they're running a responsible server, if that's even allowed by the TOS.

Re:Spam from home users?

[Peyna]

90% of abuse@ addresses store their mail in /dev/null

Re:Spam from home users?

[pthomsen]

Hmmm... Does anyone have more details on that number? Where did you see this?

I'd really like some hard data so the problem can be prioritized. All I've seen in this discussion so far, is "Most" or "almost all", or (as above) "80+%". No sources for this info, or explanation about it.

Sigh!

BTW, I'm not being an apologist for botnets or anything, but I'd really like to know how big this problem is, and I can't seem to get any actual dta on this. Someone must have done some crunching of logs, to get some idea of the extent of the problem...

Re:Spam from home users?

[sqlrob]

Here's the article I was thinking of. It's dated June, so I don't know how accurate it remains.

Re:Spam from home users?

I work for a small hosting company, and spammers are constantly exploiting weak scripts to be one of my biggests day-to-day issues. Their MO is pretty simple:

1. find an exploitable site, inject some code to pull down (via wget) some tarballed SPAM app and their list.

2. run the program (inject mail into queues). Because it comes from the webserver, it can be pretty hard to track which user / domain was exploited.

3. delete itself, rinse and repeat.

The trouble is since the app does its thing then removes itself, it is pretty hard to trak which domain has been exploited. (the mail is usually just from "apache@server" and has bogus names in it.

If I catch it in the at, it is easy enough to deal with but if I ever meet one of these guys on the street, I will kick their puny little spammer asses, (since I am a big dude ~ 6'7" -260lbs), it will be fun to tear these grimy little bastards limb from limb. . .

Re:Spam from home users?

[pyrotic]

Somone ought to name and shame the guilty parties. I get so fucked off when abuse@ sit on their lazy arses.

Re:Spam from home users?

First, if you do it as "X IP addresses per unit time", spammers will calculate your X and your time unit and then do X-1 per unit time across a few thousand boxes to get their result.

Second, it is, as you say, only "more than likely" to be a zombie. So then you also have to deal with a small minority of your customers who do this - either explaining why they can't do it any more, or administrating a system of exceptions. The exception system and/or educating support people about the subject takes far more resources than the fix.

Blocking off access to anything except the ISP's server doesn't solve the problem - they can still mail out through the server so you have to put restrictions on that. And even if they can't use port 25, they can send IM spam, or connect through zombies to machines elsewhere, or through web proxies, or web mail systems.

Having said all that, it's possible to do it, but it falls into "harder than you might think" rather than "quite easy", unless you are running an ISP with just 100 customers who are all in possession of a clue.

Re:Spam from home users?

[sqlrob]

Someone does Shame means little to nothing to corporate entities. Only a loss of profit will do anything.

Re:Spam from home users?

[nacturation]

First, if you do it as "X IP addresses per unit time", spammers will calculate your X and your time unit and then do X-1 per unit time across a few thousand boxes to get their result.

Good point. If the number were only 10 IPs per hour, it would essentially eliminate the effectiveness of the current generation of zombie machines but the next generation would adapt and each machine would spam continually to only 10 domains, for example. Then the ISPs would need to change tactics again. Rinse and repeat.

Second, it is, as you say, only "more than likely" to be a zombie. So then you also have to deal with a small minority of your customers who do this - either explaining why they can't do it any more, or administrating a system of exceptions. The exception system and/or educating support people about the subject takes far more resources than the fix.

Well, if customers are running mail servers themselves then they are already the knowledgeable ones. Education isn't a big deal. The average mom and pop whose machined has been pwn3d won't even notice a difference and won't care.

Blocking off access to anything except the ISP's server doesn't solve the problem - they can still mail out through the server so you have to put restrictions on that.

Of course -- I'm assuming that any ISP worth their salt already has some kind of filtering to prevent spammers from signing up for an account and blasting spam through them already. At the very least, it's much more noticeable when it's coming through the ISP's own mail server than when it's just yet more packets.

And even if they can't use port 25, they can send IM spam, or connect through zombies to machines elsewhere, or through web proxies, or web mail systems.

Good. If enough spam aggregates through a web proxy, then that web proxy can easily be blacklisted. The more mail that funnels through a single source, the easier that source is to block.

Having said all that, it's possible to do it, but it falls into "harder than you might think" rather than "quite easy", unless you are running an ISP with just 100 customers who are all in possession of a clue.

Yes, I suppose it's harder than just flipping a switch and magically nuking all the zombies, but the real question is if it would be worthwhile. What if zombie spam could be cut down to 1% of what it is presently? Would that make a difference enough that the hard work to get such a system in place pays off?

I find blocking ports 1-65535 TCP/UDP in/out

[Polarism]

usually fixes all internet related problems.

Re:I find blocking ports 1-65535 TCP/UDP in/out

Much easier than that - just cut that stupid cable hanging out of the back of your PC. Studies show that 99.44% of all internet related problems can be traced to that network cable!

Re:I find blocking ports 1-65535 TCP/UDP in/out

[bani]

it doesnt stop pingfloods.

Sasktel, I love you!

[Txiasaeia]

"The solution is getting messaging providers to take responsibility for their lame email systems that they set up without much thought and continue to not care much about when they become overrun by spammers."

My ISP, Sasktel in Saskatchewan, Canada has recently implemented a spam filtering service that has so far resulted in 2 false positives and no delivered spam. It completely blocks all virused emails as well. Finally, it sends out an email every once in a while to remind me to check the status of spam at the online message centre, where you can look at all email sent to me that is "suspicious."

They also have a fairly comprehensive policy against hosting spammers, which is nice to hear. I know that many of my friends who use other ISPs have been recently flooded with spam, but I've not had any problems thus far. It's nice to have an ISP that cares about its customers!

Re:Sasktel, I love you!

[WolfWithoutAClause]

Yes it's great to have an ISP that astroturfs on Slashdot!

p.s. if it's that great, how come you don't show your email address publicly on Slashdot? :-)

Re:Sasktel, I love you!

[rrowv]

Same goes for Netaddress (USA.net) for me. My address (right up there) is publicly posted all over the net. I get maybe 1 spam a week, at most. And so far, no false positives. I don't know what filtering software they're using, but it sure is effective.

Re:Sasktel, I love you!

[Txiasaeia]

Huh? I thought I did... hafta check up on that. But come on... Saskatchewan has less than a million people in the entire province, and we're pretty much stuck with only one ISP. Why would I need to drum up competition for them? I do know a few people who work for them who say it's a pretty good employer, but I don't happen to work for them, no.

Slashdot - the only place where a positive comment towards a corporation automatically makes you an employee.

Re:Sasktel, I love you!

Could have *sworn* it was public, hence the spam armour. Oh well, here you go!

If they make enough money spamming...

[VernonNemitz]

Then why aren't spammers already their own ISP outfits? Obviously if spamming is their business, getting obstructive middlemen out of the way is a priority!

Re:If they make enough money spamming...

[rawg]

Because they would be blocked instantly. By using everyone else, they have a better chance of getting their junk out. It's hard to justify blocking all of Earthlink, AOL, and MSN.

Re:If they make enough money spamming...

[fimbulvetr]

Because mini-isps generally have their own legit cidr blocks. It also implies some type of permanence. These are the two things that keep spammers out of our hands:
#1. They hide behind real isps cidrs, meaning we'd have to block that isps ip range to stop them, and most of the time they have legit users and this is bad.
#2. Their ability to pick up and move about. They can move as soon as they are blocked, and are constantly pulling up roots and moving to the next provider that they can suck on for the next 60 days until they are kicked off.

Re:If they make enough money spamming...

[AnotherBlackHat]

Then why aren't spammers already their own ISP outfits?

They are.
Top five spammers based on spams-per-ip to hit my spam traps this year;

#1 1.73413 AS25957 (ACETE-1 Acetech USA, Inc)
#2 0.89844 AS24734 (ASN-TECHMEX Techmex SA Autonomous System)
#3 0.38965 AS33012 (EMC-67 Expedite Marketing Corporation)
#4 0.15137 AS11677 (ITESM Rectoria Universidad Virtual)
#5 0.11523 AS34061 (GEDOMAX-AS SC Gedomax Pro 2003 SRL)

Evolution of Spam

[alpha_foobar]

Currently, very good software exists for preventing Spam from entering my inbox. I used to collect a message from my CompSci university email server indicating why such and such a message was spam.. more images than text in html, message claims to be outlook 5 mail but missing ms outlook header properties.. etc. So it seems to me spam is poorly developed software. If all ISP's intergrate good anti-spam solutions, then wouldn't this encourage SPAMMERS to improve the quality of their solutions? I say long live the ISP's that don't care about SPAM... and leave it to the individuals to pick better ISP's or implement their own Anti-SPAM solutions... this way those who know how to avoid SPAM, can with little or no consideration or effort.

AOL doesn't check complaints before banning

My problem is that AOL doesn't actually check reported spam before banning sites. See for reference: http://www.aota.net/Forums/showthread.php?t=18645

Re:AOL doesn't check complaints before banning

[MightyMartian]

We managed to get into AOL's blackbooks after one of our dialup customers (of all things) got a worm that was firing out SPAM at an impressive rate for a 56k modem, and doing it over a four or five hour period. That's what finally tipped the balance and lead us to block port 25 traffic to everything but our mail servers. Any customer wanting to run a mail server has to get permission from us, and it's rightly understood that they will go down before we get into trouble again.

At any rate, once we cleaned up the problem, I emailed AOL and let them know we'd dealt with it and all was good.

If you want to talk about an ISP that was tough to deal with, it's RoadRunner. Somehow we got on their block list. They wouldn't respond to my emails to their abuse address, just a standard email with instructions. Even managed to get someone down in Florida who knew a friend of a friend of mine to call and complain, the technician got me a phone number to their security center in Virginia (or wherever it was), and all I got was a recorded message to email them, and then it hung up without even giving me a chance to leave a message.

I eventually gave up, blocked all RoadRunner addresses going in. Six months later I checked, and we were off the blacklist.

Evidence?

[AnotherBlackHat]

Lot's of people make lots of claims about how to stop spam, but I never see evidence that any of it works.
Supporting (or contradictory) data is in short supply.
The article mentions AOL has "all but solved" their spam problem, but doesn't give any real numbers.

Re:Evidence?

[snarlydwarf]

Well, if "all but" means "we still have thousands of trojan proxies sending spam out", then, yes, AOL has done everything but solve their own spam problems:

Jan 25 10:48:52 bombur postfix/smtpd[434]: 1D60729EB0A: reject: RCPT from ACB3BDDA.ipt.aol.com[172.179.189.218]: 550 <darlanaoxanqimohuu@aol.com>: Sender address rejected: AOL addresses must be 16 characters or less.; from=<darlanaoxanqimohuu@aol.com> to=<deleted@cmc.net> proto=SMTP helo=<ACB3BDDA.ipt.aol.com>

Yep, they've done everything -but- solve their own problems.

MOD LAMER DOWN FOR FREE SIG

I find that pretty ironic, you're posting in a comment section about SPAM, badmouthing people who use underhanded advertising, yet your sig contains a pyramid scheme just so that you can get a "free" computer.

You need to be modded down until that sig gets removed, bottom line. I'll be blowing my points accordingly.

Another revenue source for ISPs?

[Locke2005]

Block port 25, and charge subscribers a higher monthly fee for unblocking it? Stands to reason that anybody running their own SMTP server is probably using more bandwidth, no?

Re:Another revenue source for ISPs?

That's all we need: pay-per-port access to the net. That's worse than metering bandwidth. No, that's the wrong solution.

Right idea, wrong execution.

[msauve]

The backbone ISP's need to cut peering/links to ISP's supporting spammers. That will never happen, because money talks, and spammers have money. AUP/TOS are for little guys, not spammers.

Blacklists could be the answer

The problem is that the wrong people are implementing the blacklists. They need to be implemented by the backbone providers (for a whole downstream). Soon to follow would be downstream providers (to get their access to the backbone opened back up), until it would become necessary to actually fix your spambot system, if you want to get back on the Internet.

There are too many destinations for blacklists to be implemented at the destination. They need to be implemented as close to the source as possible.

Re:Blacklists could be the answer

[fimbulvetr]

They'd have to filter TCP/IP. That's a _tremendous_ amount of resources for the upstream providers. Think of the boxes they will need to have on *every single* oc-3 (or whatever) they run.

(This is of course assuming you meant upstream bandwidth providers.)

IRL, blacklists operate by checking to see if the incoming smtp server is on a blacklist, and 90% of the time (pulled that out of my ass), this will be on the downstream providers caching server (if they are smart enough to have one).

ISPs need to do more to stop spam zombies

[jonwil]

In particular they need to do more to stop the vectors used for the spammers to get the zombies on their users macine in the first place.

ISPs should all be running good email virus scanners to remove viruses and infected attachments (including spam and DDOS zombie bots)
They should be blocking ports used by these zombies (i.e. things like MSRPC, windows file sharing etc and also ports used to send control messages to the trojans)
They should be educating users about how not to get infected with trojans.
And they should be taking steps to shut off zombies when they are detected (i.e. if a users machine is spewing out SPAM, block port 25 immediatally and point the user at tools to remove the trojan)

Something that would be usefull is a page (run by the people who do spam blocklists and other spam research) that shows the ISPs around the world that host spammers. At least that would enable the clued-in to avoid those ISPs where possible.

Re:ISPs need to do more to stop spam zombies

[WolfWithoutAClause]

According to his presentation at the HOPE conference, John Draper (aka Captain Crunch) recently implemented a honey pot system connected up to an automatic mailing program.

When his honey pot receives mail it tracks down the mail to the sending machine, works back to the ISP and mails a report to the ISP admins in realtime. If the PC is own3d then the admins usually disconnect it from the net fairly soon until the owners have fixed it, so the machines can only be used for a short time.

Because the admins work in parallel on the problem worldwide, apparently it's making a noticeable dent in the DDOS population; he connected to IRC and listened to the spammers bemoaning the fact that their favourite toys are getting fixed too quickly. :-)

Re:ISPs need to do more to stop spam zombies

[jonwil]

Is this affecting boxes that have been owned and are being used for DDOS or just boxes that have been owned and are being used for SPAM?

Re:ISPs need to do more to stop spam zombies

[WolfWithoutAClause]

Presumably he sends mail anyway, but the ISP will only turn off connections they aren't being paid money to turn a blind eye on; so in practice, just the DDOS zombies get hit by this.

Re:ISPs need to do more to stop spam zombies

[jonwil]

Firstly, its unlikely that ISPs are going to ignore zombie boxes.
Spammers operating on their networks directly mabie.
But almost certainly not owned zombie machines spewing out spam (its far easier for a spammer to just find another zombie box to spam through than it is to try and keep the one they have now alive)

Someone should set up a page ranking how well ISPs do when it comes to combating spam, viruses and malware that is on their networks and being spread via them.

group apathy

[rock_climbing_guy]

This looks like a textbook example of what is called "group apathy." No one wants to have to be the first one to put anything on the line.

Gonna have to come from the top down...

[HEMI426]

Unfortunately, one of the only things that's going to force most ISPs to start caring about the amount of spam coming from machines living on their netblocks is going to be the ISP's providers threatening to cut the lower-tier ISPs off if the lower-tier ISPs don't do something about their spam problems.

I used to be completely against ISPs blocking port 25 from non-MX machines to the outside world. Unfortunately, I've had to change my opinion. The vast majority of the spam that ends up in my spam mailbox (thanks, SpamAssassin and procmail!) and the mailboxes of my users comes from zombied/trojaned machines on residential, always-on internet connections (read, cable and DSL). Most of the e-mail gets tagged properly by SA, however if the ISPs themselves blocked outbound e-mail not relayed through the ISP's mail machines, things would work out much more nicely, the total volume of e-mail hitting other MTAs would drop, etc. There would be much rejoicing.

SPF is nifty, but it doesn't fix the underlying problem...It just allows for easier identification of mail that's coming from machines it shouldn't come from, etc. Actually getting lots of ISPs to adopt SPF is proving to be a slow process as well.

In short, ISPs aren't going to do anything to fix the problem unless they have to. Buying a few more boxes to handle the e-mail load (a huge generalization, but you get the idea) of the rampant spam is less of a problem for them than actually sorting out their mail systems to help fix the problem. A good place to start would be some method of making the top-tier connection providers responsible.

SPAM can be Beneficial.

If you are paranoid about privacy as I sometimes am, then I can think of at least one benefit for spam and that is, it lowers the signal to noise ratio and makes prying harder. In other words, it increases the amount of garbage that prying eyes have to sift through to get to any "real" personal user data.

Granted spam filtering technology has come a long way, but even so, the time/cpu/bandwidth used to filter garbage leaves less resources to analyze everything else. On my own PC, i get about 50 pieces of spam for every legitimate piece of email. If that ratio is typical, then that has to make spying more difficult/slower.

Ok fine, if im really concerned about privacy then I should encrypt every email I send, never post to newsgroups, bulletin boards *cough* slashdot *cough*, or talk in chat rooms, buy groceries using those "club cards," pay for everything only with cash, and never REPEAT never take off my tin foil hat.

LOL, ok playtime is over. Back to coding.

Accountability - HELP ME GET A FREE MINIMAC

[sinner0423]

Accountability is the only thing that will stop spam.

Yeah it is. So, I'm holding you accountable for that lame, unwanted, advertisement in your slashsig. Get a job, or something you can do to make the few hundred it takes to buy a minimac.

How many people have you emailed or bothered with that lame "free stuff" link?

Somebody mod this clown down.

Re:SPAM can be Beneficial.

[rock_climbing_guy]

Actually, in a previous /. discussion, someone mentioned the idea of hiding a secret message in spam. As it has been said before, often times the best way to keep a secret message from prying eyes is to make it look as though no secret message has been sent.

irresponsible ISPs

[bani]

a huge number of networks out there are completely irresponsible. they have no working postmaster@ (required by rfc) and abuse@ (optional, but generally expected). quite often the email address on their webpages, phone numbers on their webpages, and email addresses/phone numbers in whois are wrong.

others have retarded / broken "content filters" making it impossible to report to them any abusive emails originating directly from their customers.

just a few of the 500+ irresponsible networks i track, who originate spam/viruses/etc directly from ip addresses owned and operated by them, but who can't be bothered to accept complaints:

rima-tde.net
charter.com
dsl-verizon.net
army .mil
asu.edu
ecu.edu
charterga.net
vic.gov.au
cwpanama.net
charterpipeline.net
telekom.at
to ronto.edu
faa.gov
cableaz.net
ncyu.edu.tw
cgoc able.ca
choiceone.net

it's really sad because most of them should really know better. though some of them do know better, and deliberately choose to ignore complaints as a matter of official corporate policy (eg exodus, now dead...).

so yes, network operators do bear a huge burden of responsibility for spam, and a lot of spam is due to these network operators ignoring complaints and ignoring repeated and constant network abuse originating directly from their customers.

Re:irresponsible ISPs

[NecoX]

postermaster@ is not required if you give a reason for it not to be available. I think rr.com or somesuch do just that, try mailing them from a residential IP-address space...

Re:irresponsible ISPs

[bani]

postmaster is not optional. period. if you accept email, you are required to have a functioning postmaster address. this is a non negotiable point.

see: RFC 2821
section 3.1 paragraph 2
section 3.6 paragraph 3
section 4.5.1 paragraphs 2,3

the only case where it is even remotely close to "optional" is section 3.1 paragraph 3, in which case you would be rejecting all mail outright...

but what about the users?

[blew_fantom]

when i used to work for an ISP way back, initially, it was SysAdmin's inablity to admin the box - our email SERVER was open relay fer' crying out loud... which led to our domain be blacklisted. that wasn't fun trying to clean up. a couple of years later, we implemented spam filters and such but the USERS wanted it off. we'd have MRTG action going to monitor traffic and look for anomalies and such... but when it comes to joe blow user who doesn't want his email filtered... what's a small ISP to do? then, as many have said already, there's always the false-positives to deal with, and entire domains being blocked... its a tuff call. current email system wasn't designed to deal with spam so is building a system from the ground up a solution? or is user education more effective? AOL is huge because your grandma' just wants to see cute pictures of you. and sign up for her free ipod. no harm done right? i think its a multi-tiered, multi-solution effort with multiple parties involved...

Re:but what about the users?

[bani]

but when it comes to joe blow user who doesn't want his email filtered... what's a small ISP to do?

you give them a web-based control panel that lets them control filtering for their account.

we find most customers choose to turn filtering ON rather than turn it OFF.

Re:but what about the users?

[blew_fantom]

i guess i should've been more clear.

that would've been my recommendation as well. using something like squirrelmail as a frontend or something to empower the users. but of course, PHB doesn't see it that way. they went out and bought software that cost 5G's, with NO customizable options and the settings were global, even across virtual domains! needless to say, i didn't stick around very long to find out how the company did. last i hear they sold the isp part of the business and were headed down a slipper hill...

BGP

the answer is BGP, AOL = BIG ISP with lots of customers, along with that comes ATDN (time warner etc). Instead of blacklisting, ignore routes from anyone hosting spammers. Vote with your customers, if joe blow won't clean up his ISP, shitcan his traffic they most likely don't want it anyway. When their customers can't get to time warner's content, and their customers can't benfit from those time warner/aol users who spend money online, and their customers leave the spam stops as a matter of course, and they go out of business. Of course they can also wise up and request that you accept their traffic again. YOU DO NOT HAVE TO ACCEPT TRAFFIC FROM EVERYONE ON THE INTERNET. We would be much better off without China and several other international feeds. (dirty little secret, MCI, sprint and glbx make a FORTUNE off of china's spam empire by providing peering). It's called cutting the money flow, when/if we do it, it will stop spam. Richter, Ralsky, Atriks etc can't spew if noone will provide them with connectivity. It's up to blacklist providers, and concerned companies who are being financially hurt daily by these spammers to simply drop their providers in the bgp blackhole and leave them there to rot.

ISP's over-sell their lines, use that knowledge.

[khasim]

Do you honestly think that any ISP's admin gets to make revenue decisions.

They would if they phrased it correctly.

Suppose you are an ISP with a single T1.

You don't just sell the available bandwidth. You over-sell it. You might sell 2x your bandwith or 3x or 4x or 5x.

You do that because you know that each of your customers will not be using their entire bandwidth all the time.

But spammers use up a lot more bandwidth than the average customer.

If I started shutting off customers because they are inept netadmins, I'll get fired.

You don't do that. You show your boss how that idiot is using 10x the average bandwidth but only paying 1x the average fee.

That should be easy to do.

The only way that it's going to change is if the government makes the ISP liable for spam sent from it's ISP block.

There isn't one government. I get a ton of crap from .ch domains now.

In the end you'll be able to have AOL, Earthlink, or Comcast. Is that what you want?

I don't think that will happen. There is a market for the small, local ISP.

The key here is money. The people who behave irresponsibly use more bandwidth than the responsible people (yet pay the same monthly fees).

If you want to clean your own house, that's the way to do it.

That's the carrot. The stick is when your entire block is blacklisted because you did NOT deal with the problem that you knew about.

In terms you might understand...

[Local+ID10T]

Thanks. Do you honestly think that any ISP's admin gets to make revenue decisions. If I started shutting off customers because they are inept netadmins, I'll get fired. What good will that do. The only way that it's going to change is if the government makes the ISP liable for spam sent from it's ISP block. When that happens, technologies that can stop the spam cold will finally start to seem cost effective and rational. I suspect that many small ISP's will simply go out of business if it happens. In the end you'll be able to have AOL, Earthlink, or Comcast. Is that what you want?

The problem isnt you -the individual employee. No one is advocating you go cowboy and start changing configurations all on your own. Its you -as in the company you represent. The money hungry, backstabbing, lying, cheating, shortsighted, assholes who see to it that the rest of us spend part of our day deleting spam.

If you want to talk revenue, if you need the "big picture", think of it in these terms:

When I recomend an ISP to an individual or a business, I first check that neither their name nor any portion of their IP range is associated with anything on my prefered spam-block lists.

I have no problem telling a client, a friend, or some random person that I would not recomend you as their ISP choice because it might be on some spam-block lists.. I will take the time to explain that this could mean that their website or e-mails may be blocked -that their customers may not be able to see their site, that they may not be able to send e-mails to their friends and family.

Is that good for your business?

Not Just Open Relays!

It's not just open relays that spammers use, but also "spamware" trojans much like adware/spyware. Also, big time spammers have been known to run their OWN ISPs in order to maintain control over the servers. I've also heard of spammers using tons of dial-up accounts in parallel and in conjunction with their own spam-servers. These will still be thorns in our sides even IF all the open relays are closed.

we block europe and asia...

[bani]

...at customer request. we give customers switches on their webpage-control-panel and they can block anyone and anything they want. a huge percentage of customers block china, korea, russia, etc. because they dont speak mandarin, cantonese, or read BIG5 or EUC-KR or KOI8. customer's choice. boo hoo for the spammers.

Re:we block europe and asia...

[RKBA]

Who is "we"? I would very much like to have an ISP that allows me to filter out email by country/region, and would like to know the name of ISP's who offer this option.

Re:we block europe and asia...

[pyrotic]

What I'd really like to do is block the whole of Florida. Our cutomers don't speak redneck. Boo hoo for the Floridonians.

Re:we block europe and asia...

[AaronLawrence]

Spamcop Mail offers lots of country-based blacklists that you can choose from, plus other options.

too low...

[bani]

...more like 99.999%

Don't Oversimplify

Lax ISP's? As someone who works for a large ISP I take my AUP seriously and am not afraid to enforce it. My mail servers are not open relays.

Two points :

1. I would LOVE to blacklist hotmail.com .. but I can't because it has legit mail traffic. But there are spammers too.. should i blame hotmail?

2. Any spam coming from my servers is being relayed from windows-infected zombies and are often generated automatically by virus and worm activity. Do I blame the myself? or the customer? or microsoft? or the spam mail filter I pay thousands of dollars for that only helps a bit?

It's not uncommon for an isp to block port 25.

[neckdeepinspecialsau]

I know that both earthlink and verizon do. I was testing a James mail server on my earthlink account and I could only send outgoing mail to earthlink customers or myself. I found it really annoying that night, but overall I think it is a good idea. If you want to run a mail server get a pemium conection.

Spam is a worldwide problem...

[Vellmont]

You can blame ISPs all you want, but it ignores the fact that Spam is a worldwide problem because the internet is worldwide. If some miracle happens and all US and European ISPs start shaping up, there's nothing stopping Chinese ISPs from offering a spammers paradise. If your money is green they'll certainly take it and let you spam. Think China is going to outlaw ISPs from taking spammers? I highly doubt it when there's money to be made and little to lose. Even if they do there's plenty of other countries that'd gladly act as safe spam havens for a few greenbacks.

I just find the whole article to read like a "why can't we just love each other?" response to war. The world isn't going to change just because you wish it would.

Re:Spam is a worldwide problem...

I am willing to block all of China to solve the problem.

Raise the rates, and then give a "discount".

[khasim]

Raise the monthly rate by $5 and give customers a $5 DISCOUNT if they'll accept "secured" service (read: blocking port 25).

"Hi! Thanks for calling Big-Internet-Service. This month we're having a special of $5 off our monthly bill with "secured service". This service will help make sure your email to your friends gets to them by making sure your machine doesn't end up on a blacklist somewhere. Would you like the $5 discount?"

"What's the alternative?"

"You pay us $5 extra a month and we cut your connection whenever we confirm that you've been spamming."

what will it take ISPs to MAKE them responsibl

[kevincw01]

If you wait for irresponsible ISPs to pay attention and close their security holes or disable abused accounts then please let me know how cold hell is when it happens. However, look at the problem in a different way. Many, many RBLs exist today for these irresponsible mail servers. If all of these so-called responsible ISPs would cooperate and agree on a central RBL that blacklisted entire IP blocks on the mail port then we could essentially ban the irresponsible ISPs into submission. Your spammers will leave if they receive 100% bounces on their spam. And the customers will leave the irresponsible ISPs if they cannot send legitimate mail. I applaude verizon http://yro.slashdot.org/article.pl?sid=05/01/17/12 26237&tid=153&tid=17 on their decision to ban Europe e-mail. If all ISPs did it, I can guaruntee that those ISPs would eliminate spammers from their networks.

Re:what will it take ISPs to MAKE them responsibl

[divot2001]

Closing parts of the Internet off from one another is completely contrary to the notion that the Internet exists to provide a global, open network of networks that can never be disabled since it has no single links. Without that there is not much point in having email or websites in the first place.

The worst thing that could happen is for the problem to be managed by a series of punitive changes. Spam offenders would just change their tactics until no one used email anymore. Better to comply with the RFC's for running a mail server so that the problems inherent in the SMTP protocol are acknowledged and a replacement is found.

100% compliance is NOT a solution

[Gunzour]

He is basically saying "if *everyone* did what we did, there would be no spam". That sounds good in theory, but in the real world, and especially on the internet, you cannot get 100% compliance on *anything*.

Any solution to spam (or, for that matter, any annoyance in life) which relies on 100% cooperation is doomed to fail. The successful solution will be one that allows a customer to stop receiving spam entirely regardless of what everyone else does.

One Hardline Solution

[PhunkySchtuff]

What my ISP does is block all incoming TCP/IP access to Port 25. They also block all outgoing port 25 access to everything except their own mail server. If you are using their service then you can freely relay mail through their SMTP servers, however then they can easily track the volume of messages being sent.
I initially found this pretty restrictive (eg: I wanted to run my own mail server, quite in violation of their TOS) however now I have my mail server running on another ISP. I can send directly through my mail server using SMTP over SSL on port 465, which isn't blocked.
What this ISP has now done is prevent any zombies on their network from flooding spam to anyone. Do I really need to run my own mail server? No, it's a vanity thing. Does my ISP block anything else? Not that I know, or have encountered.
What I'm getting at is that this is a much better solution than AOL's solution, and the vast majority of internet users don't want to, or need to, run their own mail server so there's no inconvenience to them. Their computers can't be used as spam relays, which is a good thing.

Re:One Hardline Solution

I own a small mail order business and had a Linux server on my Earthlink static DSL.
Then suddenly Earthlink blocked traffic going to port 25 without prior notice, cutting my business off from customers (no, I have never sent spam, not even "deal of the week" spam to previous customers).
For a few days I didn't even realize they had cut me (and everyone else) off - I initially thought two or three destination SMTP servers had simultaneously gone down.

I find it dispicable that Earthlink didn't give any notice - there should have given at least 8 weeks notice so that customers can make other arrangements. Or there should have been some way to opt out.

Anyway, I quickly changed my DSL line to a another provider that does not have such an idiotic policy (Sonic.net in Santa Rosa) and have been happy as a camper ever since.
When I cancelled my Earthlink account, I told the callcenter guy in no uncertain terms WHY I was cancelling.

Re:One Hardline Solution

[a24061]

Do I really need to run my own mail server? No, it's a vanity thing.

I assume your ISP runs a consistently good outgoing SMTP server.

My ISP's SMTP usually works, but when it occasionally goes wrong, mail can sit queued for a day without returning any warning messages. If they didn't allow users to run their own mailrouters, I could be stuck unable to get important mail out.

My ISP claims that all services other than connectivity are "free services" provided to connection customers. This is a dirty trick to avoid giving any refunds when things go wrong.

Re:One Hardline Solution

[Mycroft_VIII]

One question. Was your account set up to run this bussiness (from earthlinks standpoint)? Because if all you ordered from them was a regular consumer account, even a high end one, and not a bussiness acount then really your complaint is significantly weakened. True warning would have been the nice and polite thing to do, but if thier bussiness relationship with you wasn't of the sort for them to reasonably expect you to have reliance on port 25 then they didn't really do anything wrong.
Of course thier tos is also significant here, if it specifically banned running servers or bussineses on the type of acount you had then you not only have no complaint, but THEY have a valid complaint.
Bassically the devil is in the details. I suspect you just had a consumer acount and got upset that they stopped giving you privilages on thier network you hadn't paid for.

Mycroft

That's a problem anywhere.

[khasim]

Someone (Joe) inside your company sends email to another account of their's.

Joe then reports that email as "spam" to a blacklist.

BAM! You're identified as a spammer.

You see the reject comments on your mail server.

You check the blacklist and look up the emails that were reported.

BAM! Joe is fired.

You show the blacklist site that you're not an open relay or proxy or whatever and you get removed from the blacklist.

If it's coming through YOUR network, it is YOUR responsibility. You can filter spam/viruses going out of your servers (and you should be doing that).

Just a thought

[okorpheus]

Before the flames roll in, let me say I'm not advocating a view, just throwing it out for thought. Let's say someone tries to draw some conclusions about the general opinions of slashdot posters. How do we reconcile the beliefs that ISPs are responsible for spam going through their systems, but not pirated files.

Re:Just a thought

Spam is actually stored on their mail servers and then exits their systems. And plus, I don't like spam. Now if people were emailing me Half-Life 2.... :P

Re:Just a thought

[divot2001]

If a group of terrorists armed to the teeth managed to break into a building monitored by a single security guard would we draw the conclusion that security everywhere is useless? Of course not, just that for this particular situation some highly trained criminals exploited a poorly guarded target.

It's the same with mail servers, fix one problem and another appears, ad infinitum. Bottom line; SMTP is useless and should be relegated to the dark ages when only scientists and soldiers used email.

SMTP requires trust in others mail servers' good faith (a) adherence to RFCs and standard practices, and (b) prevention of malicious intent. Close an open relay and reinstalling W2K server with the default options opens another one at least for a bit. Shut down an ISP haven for hackers and some shmuck running an NT 3.51 server on a Commodore 64 down in Kenya will decide to try to setup a webserver without deselecting SMTP from the other Web services.

The whole system of SMTP is a mess of patches, fixes, and outright nonsense that requires less ingenuity to circumvent than it does to repair. As a matter of fact, the smarter you are the more you work around the rules such as using relays and Deny Lists to either fabricate your own information or else restrict communications on the Internet. Which is worse lying about something with good intentions or following the rules and violating the basic principle the Net was founded on?

Re:Just a thought

[a24061]

How do we reconcile the beliefs that ISPs are responsible for spam going through their systems, but not pirated files.

Easy. The following are two entirely different situations.

(1) When you send spam, you are pushing material at other people who don't want it and wasting their time and bandwidth.

(2) When you run a P2P program or put pages on your website that some corporation doesn't like, you are providing material that other people can choose to download or not.

Re:Just a thought

[dodobh]

Spam is Unsolicited Bulk Email (It has to be both unsolicited and bulk).

This lands up in the mailbox of someone who did not ask for it.

For those violating copyright, both the sender and the reciever have agreed to participate.

The issue is one of consent, not one of content.

Spamblocking Whole Countries and DSL ISPs

[billstewart]

Why does anybody's choice of connectivity provider have anything to do with their choice of email provider? Sure, my DSL ISP gives me a mailbox and a shell account, but all I do with that mailbox is set it to forward to my real email to handle occasional administrative messages from the DSL folks.

Blocking whole countries by default, without giving the users a choice about it, is rude, stupid, xenophobic, and a good reason for your customers to leave en masse.

On the other hand, *offering* email blocking by country, character set, favorite-blacklist, etc. is a really good thing. The EMail Service Provider where my main email address lives recently started doing this, and since I don't get any legitimate email from China or Korea or Brazil, I have the spam-filter set to flag some and block others. I do occasionally get mail from real people in Japan, though unfortunately (AFAIK) my ISP doesn't offer blocking by character set, so I still get two spams a month in Japanese, which I don't read, and have to use my email client's filters to discard. I still get spam, but I've had that email account splattered all over internet mailing lists for a decade or so and there's no way to keep harvesters from finding it - but my other main ISP has a good Spamassassin setup and not much gets through them.

Re:Spamblocking Whole Countries and DSL ISPs

[Zocalo]

I couldn't agree more with your sentiment about enabling the *optional* blocking of entire countries and character sets en-masse; I do it myself on my home mailserver via my own DNSBL and SpamAssassin. Verizon has apparently decided that it knows best however and its customers will just have to deal with it as best they can, which makes them fair game for being used as the poster child for my point. To paraphrase Spiderman; ISPs potentially have a great power to wield against spam, but with that power comes great responsibility. By all accounts Verizon needs a healthy infusion of the latter, and failing that a hefty whack with a clue-by-four.

Re:Spamblocking Whole Countries and DSL ISPs

[isdnip]

Why does anybody's choice of connectivity provider have anything to do with their choice of email provider? Sure, my DSL ISP gives me a mailbox and a shell account, but all I do with that mailbox is set it to forward to my real email to handle occasional administrative messages from the DSL folks.

Don't worry, Verizon is working hard to prevent you from doing that! They and BellSouth have petitioned the FCC to allow them to cut off all other ISPs' access to their raw DSL services. They're also making it harder for CLECs to offer DSL in competition with them. So you will get Verizon Online or nothing on DSL. If you don't like this, go the http://www.fcc.gov/ , go to e-filings, ECFS, read the comments and then leave one of your own on "04-440" (Verizon) or a Reply Comment (closing later this week) in "04-405" (BellSouth). SBC and Qwest will no doubt get the same privileges that the other Bells get.

I don't know if Verizon Online blocks Port 25, but if you use their mail server, you must have "@verizon.net" in the From: field. If you try to use your own domain, you commie terrorist spammer punk, your mail will be blocked. And if you want mail from foreigners, you commie terrorist, they will tell you to use Hotmail.

And if the FCC accepts their Petition, you won't have a choice if you want DSL. At least Comcast has a smart Port 25 filter (passes a limited number of mails, blocking spam blasters) and allows From: whatever.

A nation of zombies.

[khasim]

Distributed processing is where it is at.

If you own your own ISP, you're limited to the bandwidth that you're paying for (and you can be blocked easily).

With a bunch of zombie machines, you have TONS more bandwidth and you're not paying for it!

Plus - all those processors sending spam.

Just 10 zombies on 256K upload cable modems is 2.5Mb.

A regular T1 is only 1.54Mb.

Re:A nation of zombies.

A nation of American zombies at that. Here's a the worst of the ADSL zombie networks to block. We have a cron job to report a monthly summary of abuse, but we never get replies from these ISPs. It's been going on forever, I assume these guys just don't give a shit. These are the top 5 offenders who regularly try to spam us:

.client*.comcast.net
[cityname].rr.com
dsl.*.ameritech.net
dsl.*.pacbell.net
cable-*.charter.com

Posting as an AC to name the guilty. Sort your shit out you fuckers! I have better things to do with my time and bandwidth.

Re:More Law Suits -- start with Cable/DSL

[kd3bj]

For example, the big cable and DSL ISPs know that millions of their customers have virus infected PC's spewing out a deluge of spam on port 25. They can't plead ignorance. Why don't they block port 25? In another industry it would be criminal negligence to knowingly allow your resouces to be used in a crime. How can these big providers possibly get away with this head-in-the-sand attitude?

A nice class action lawsuit might wake them up.Like say $0.01 per spam received by direct SMTP from a virus infected PC on a Cable/DSL net connection.

oh really ? Have you tried to call AOL lately?

[LullySing]

You know what? When that dude talks about how the problem is solved, maybe he should stop pretending he's above us, and maybe start looking at the kind of system he's got.

here's a post i made in my blog about a situation that arived because of AOL's "system". Ever since that episode, i haven't been impressed at all by these people.

--------(start idiotic message from AOL)----------
Date: Mon, 5 Apr 2004 09:04:13 -0400 (EDT)
From: postmaster@aol.com
Subject: AOL email concerns for isp-where-i-work-abuse.net
To: abuse@isp-where-i-work-abuse.net
X-Scanned-By: MIMEDefang 2.39

Dear isp-where-i-work-abuse.net,

You are receiving this message via our automated "Report Card" process (which helps analyze AOL's Internet inbound mail) because our available data indicate that isp-where-i-work-abuse has risen above the acceptable threshold for complaints:

Total number of AOL member complaints: 186

AOL takes proactive steps to contact owners of mail servers whose e-mail transmissions are impairing the functioning of AOL's proprietary e-mail system, or causing significant levels of AOL customer complaints.

AOL requests that you take immediate steps to resolve the issues identified in this AOL Report Card. In the absence of a satisfactory resolution, AOL reserves the right to take measures to protect its email network and its member goodwill from any possible damage. These measures may include declining to accept e-mail transmissions from isp-where-i-work-abuse.net through AOL's proprietary e-mail network.

AOL strives to provide the best online experience possible for our members, and we pride ourselves on being intensely focused on consumers and their needs. Email is a core feature of the AOL service, and the proper functioning of AOL's e-mail system is vital to our members' goodwill.

Please review AOL's e-mail policies and guidelines, as well as other technical details concerning e-mail on the AOL network, at http://postmaster.info.aol.com
------------(end message)--------------

Ooohhh, AOL's proprietary e-mail network. No information that is gonna be any use in determining WHY people are complaining at all. I guess this should not be a surprise, considering this crap is coming in from AOL! So i do the next available thing , i go to the website. Result : No information that is gonna be any use in determining WHY people are complaining at all. But there's a phone number.

Result of calling 1-888-212-5537:
*dials phone*
"The holding time for the next available consultant will be more than ten minutes." ...( silence )
"Thank you for calling America online ..."
*spits water all over desk, workdesk and papers*
(musak)
(an hour later)
Hello, this is postmaster helpdesk, can i help you? ...And here i am explaining to the bloke on the phone the situation, namely that we are getting "Report cards" without any kind of information as to why people are complaining, with no headers or anything at all to help us.

REP:"oh, that's because you don't currently have a feedback loop with us."
ME : "huh? but we received your report cards in the abusemail box."
REP:"Yes, but you don't have a feedback loop with us"
ME :"You know, there are databases on the net where you can get the abuse contact information for ISPs and things like that."
REP:"Yes, but we made our own database"
ME :"Couldn't you have used those as a base for your own database?"
REP:"I cannot comment on that" ... and here are some other juicy interesting tidbits of information from this conversation...

REP: So what are your mail server's IP adresses.
ME : We have several : we're an ISP.
REP: Alright, then give em to me.
ME : That's why we use DNS names for our mail servers : if one breaks, we change the IP to another server while we fix the previous one.
REP: So you can't give me the IPs? ...

Re:oh really ? Have you tried to call AOL lately?

[doon]

yeah Scomp how great. They say take a scomp report as a request to be removed from a valid (double opt-in) mailling list, but then they strip all identifying marks from it you can't tell which user it is. Also AOL doesn't do any filtering on it's scomp reports, so anytime one of their users hits the report as spam button (Which I am told is very close to the trash button) we get a report. So we get reports on things like , Dear Grandma, thanks for the cookies , they where yummy, and this was in reply to an e-mail sent from AOL asking how the cookies where. I kid you not. So we have to sit and look and figure out which ones are legit and we need to pursue, and which ones are just the user on the other end not having a clue.

A couple of times it has been helpful since we can normally find a trojan/rooted box spitting out viagra/ciallis spam pretty quickly since we start to get a ton of reports not long after it starts, so we can locate it and noc it off line. Oh in case you are wondering I am an admin for a smaller regional ISP (about 25K mail accounts)

Re:More Law Suits -- start with Cable/DSL

[XtremeGod]

You don't even need to block port 25. You can use a transparent proxy to at least do basic virus checking on the mails. At least this shows a bit of corporate responsiblity, even if it is an illusion of trying to do some good.

My Grandpa's AOL email

[Ki+Master+George]

I have no idea what they're talking about when they say they've nearly elimated spam. My Grandpa gets ~30 email messages a week: I'd say 20 of those are newsletters that he doesn't want about Macs and Oil and the colleges he went to (I don't know who signed him up for them; I'm seriously considering signing him up for another account, as I conduct his computer affairs), and 9 are medicine spam, then maybe one is something he wants (he also gets lots of chain email letters about how evil the Democrats are and how cool the Republicans are, which is odd, because he's a Democrat). I think only once was some spam correctly identified. I don't know what about \/1AGR@ isn't spammy.

I don't see what all the fuss is about

[CastrTroy]

I get probably about 40 spam messages a day. However I don't see a single one thanks to spamassassin. I think i've gotten about 1 false positive in the past year. There are good filters out there. Just because people don't know how to block spam doesn't mean it's impossible. People just need to wise up. Maybe ISPs should offer real spam protection as part of their service, instead of whatever crappy protection the are offering.

Re:I don't see what all the fuss is about

You still have to download the spam. For people on dialup that can take a very long time. Assume each spam is 100k thanks to all the crap spammers like to include, 50 emails is 5MB which would take at least a half an hour to download without broadband.

Corner pay phones don't accept incoming calls.

[khasim]

I agree with most of that, but you're off on the "common carrier" bit.

The phone company isn't held responsable if a bank robbery is planned over the phone only because they make no effort to control what is said. (In other words, because they are a common carrier).

As soon as you start controling what your users can put out on the net, you lose common carrier protections.

The phone company won't control what you say, but they can do some things like having the corner pay phones only able to make outgoing calls so that criminals won't be able to setup shop with them.

The same methodology can be used to fight spam.

You don't care what is in the email the customers send, they just have to send it via your email server. This will stop almost every zombie spammer out there.

And that's how spam will be fixed. By looking at each characteristic of spam and dealing with each one, individually.

Other things that hinder spam prevention include pointy headed morons who report legitamate mails as spam because they can't be bothered to unsubscribe to double opt-in lists that they DID subscribe to,...

I've had users specifically request info from a site and then dump the email with that info into the spam folder.

Fortunately, Spamassassin handles enough so that I only have to confirm 10 - 15 of those a day.

Ultimatly, spam will go away when people stop buying things from spammers. Nothing else will likely manage it.

If so, that day is very far away. People do buy things like penis pills and they do it online because they feel better not having to face another human being while doing it. Sad, but true.

Re:Corner pay phones don't accept incoming calls.

[sjames]

You don't care what is in the email the customers send, they just have to send it via your email server. This will stop almost every zombie spammer out there.

Sure, but it's not without problems. When my ISP blocks outgoing connections to port 25, I can't properly test MY OWN mailserver from a remote location (just because it works for a connection in the same class C doesn't mean it'll work from anywhere). To make matters worse, my test WILL looklike a spam attempt because I want to make sure it won't relay it.

Then there's colo customers and business connections who expect unrestricted access, that's what they pay for. What am I to do if a mom and pop ISP wants to buy bandwidth from me or perhaps colo their mail and web servers in my NOC? Shall I tell them they can't have a mail server? (and watch them take their business to someone with more sense)? Is there a point where an ISP becomes large enough to be trusted or should we block port 25 at Mae East?

Re:Corner pay phones don't accept incoming calls.

[einhverfr]

Unfortunately for this to work reliably and robustly, you would need to force them to use the email address that they authenticate with. This will prevent me from using chris at metatrontech dot com as my email for my business and I might have to use einhverfr at nwi dot net. This is the part that is unacceptable for my business.

Now, you have to make this restriction because otherwise spam-relaying zombies can just pull the information from the registry regarding outgoign smtp servers, and forge the addresses. Additionally, Outlook Express must store the password in some reversible format, and this would not be hard to break. So in reality, though it would break 99%+ of the existing zombies, it would not take long for the systems to be re-designed.

Then filtering blocks common carrier status. So you enforce the "no-forged-from" rule and people like me have to take their business elsewhere.

Look--- as I run a business with web and mail servers, I have found that I have to be very specific with ISP's so that I ensure that they are not filtering the ports. Even then, I do occasionally run into problems, for example when my ISP put in an IDS which for some reason made my website inaccessible from those on dial-up on the same ISP (I am on their fiber service). After the complaint, they did remove that filter, but it meant three days of *my* customers complaining to me.

So what do you do suggest? Say that if Microsoft has their internet connection through, say, Verizon (not saying they do, but just in case), that Bill Gates will have to use the email address billg-msft@verizon.net? Didn't think so....

Re:Corner pay phones don't accept incoming calls.

Can you help us understand why you cant test your email server from remote location when your ISP is blocking OUTBOUND email ( unless you relay it through them ). If you are from linuxlabs I am guessing you know how to use sendmail's "smarterhost", or postfixes "transport" to make your email go through a upstream provider.

Do you think that if you wanted electricity direct from the generating plant that you could run your own wires from your house to the generator ?
Nahhhhh.. Even if you know what AC & DC mean. It keeps the rest of us safe that you are not allowed to tap directly into generators.

The three times a year you need to test your mail server and can not get cooperation from your upstream provider means we get to accept spam from your network... wow! kind of a fair trade off dont you think ?

Maybe you need to have a chat with your provider if you can't test your email.

Re:Corner pay phones don't accept incoming calls.

[sjames]

Can you help us understand why you cant test your email server from remote location when your ISP is blocking OUTBOUND email ( unless you relay it through them ). If you are from linuxlabs I am guessing you know how to use sendmail's "smarterhost", or postfixes "transport" to make your email go through a upstream provider.

Because the email server in question is not on my machine here, it resides on an unrelated network. I would very much like to telnet to it on port 25 and manually step through a transaction (in part to make sure it correctly refuses to relay without authentication). How in the HELL would my configuring my home machine to use my ISP here as a smart host help with that? In other cases, I may want to see specifically how it is responding to inbound mail. Once again, to do that, I need a telnet connection to port 25, not a smarthost. In other words, to test an INBOUND connection to my remote mail server, I'd need an OUTBOUND connection from home (which is blocked).

Nahhhhh.. Even if you know what AC & DC mean. It keeps the rest of us safe that you are not allowed to tap directly into generators.

In a sense, we all have such a tap, it's just that it's shared. The only thing keeping me from pulling the whole neighborhood down is common sense, responsability, and lack of need for that much power.

Re:Corner pay phones don't accept incoming calls.

"...When my ISP blocks outgoing connections to port 25, I can't properly test MY OWN mailserver from a remote location..."

Why can't you temporarily open port 25 for testing?

Re:Corner pay phones don't accept incoming calls.

[MightyMartian]

> Sure, but it's not without problems. When my ISP
> blocks outgoing connections to port 25, I can't
> properly test MY OWN mailserver from a remote
> location (just because it works for a connection
> in the same class C doesn't mean it'll work from
> anywhere). To make matters worse, my test WILL
> looklike a spam attempt because I want to make
> sure it won't relay it.

Are you supposed to be running a mail server? We have customers that do run mail servers, and we don't block port 25 for them (I mean, it's pretty trivial in a router access list to say block x.y.z.0/23 except for x.y.z.5/32). If you're buying an IP with the agreement that you're going to be running a mail server, and your provider blocks port 25, then either you need to resolve that problem or find another ISP. If you're running your own mail server without your ISPs knowledge, then that's tough.

> Then there's colo customers and business
> connections who expect unrestricted access,
> that's what they pay for.

I'm not suggesting they don't get it. I am saying that when the upstream provider starts getting reports that there's an open relay, even if it is a colo customer, then that upstream provider has an obligation to make sure that hole is sealed.

> What am I to do if a mom and pop ISP wants to
> buy bandwidth from me or perhaps colo their mail
> and web servers in my NOC? Shall I tell them
> they can't have a mail server? (and watch them
> take their business to someone with more sense)?
> Is there a point where an ISP becomes large
> enough to be trusted or should we block port 25
> at Mae East?

Again, are you buying the full show or are you just doing a fly-by-nighter here. If we found out a customer with residential grade service was running a full-blown hosting service, we'd shut him down faster than you can say "Pay up." If your provider is blocking your traffic, even though you're paying for full access, then you've got a problem with your provider.

I trust, at any rate, that you're not running an open relay.

Re:Corner pay phones don't accept incoming calls.

[sjames]

Why can't you temporarily open port 25 for testing?

Perhaps the use of my was confusing, I mean my mailserver in the sense of ownership, and my isp in the sense of being that ISPs customer. I don't have administrative control of their firewall.

Re:Corner pay phones don't accept incoming calls.

[sjames]

There seems to be some confusion here. I don't offer residential services at all, nor do I run servers off of the dialup account I have with an ISP for my home connection.

The mail server is in a commercial colo facility. There's absolutely nothing wrong with an ISP running out of colo space.

The problem is that if I want to test the colo-ed mail server while on my dialup line at home, I can't because outbound port 25 connections are blocked as an anti-spam measure.

I most certainly am not running an open relay. The reason I want to connect to the mail server from my dialup line is in part so I can more easily test my configs to make sure of that by telneting to port 25 on my server and attempting various things to get it to relay mail it shouldn't.

"ISP" fronts for Spammers - Moving Target

[billstewart]

Every big spammer knows about AGIS, the big ISP that lost all its connections to the rest of the Internet when their spammer-friendliness became well-known enough that they not only couldn't get peering with other ISPs, but couldn't even buy transit from anybody and their last few upstream providers kept getting pressured by the rest of the world. Lots of smaller spammers try the smalltime fake-ISP-front game - the ecology of hosting centers is sufficiently dense, with colocation companies renting rack space and bandwidth or crossconnects to ISPs and computer hardware leasing companies which lease them to managed operating system companies which lease them to managed hosting application companies which provide web page hosting service to end customers, wholesale email service to freemail providers, and virtual machines to end users, and you can play whack-a-mole for a long time before you find which layer is really the spammer, which layer is a fictitious business name also run by the spammer, which is a spammer-tolerant service provider company, which is an innocent but clueless company that really had bad customers paying them with stolen credit cards, and who needed whacking.

Scotty Richter's OptInRealBig gang had their big pet ISP, named something along the lines of "wholesale bandwidth". AFAIKT, they mostly did business for Scotty, but they also sold bandwidth to other people, and they normally dealt with problems by explaining how they were shocked, shocked! to discover that one of their customers was a spammer! and would take care of them right away, usually by having their "customer" list-wash the complainer's address (they really *were* scrupulous about taking complainer's addresses off the list, though I had no way of knowing if they also resold the lists of complainers to other spammers), or worst case, by "getting rid of" their "bad" customer (i.e. renaming herbal-fake-viagra.com as fake-herbal-viagra.com with a different IP address on a different virtual server in their /19 block, or sometimes even "getting rid of" a whole virtual server, and giving it a new IP address.) Because they were pretending to be an honest, CAN-SPAM-law-abiding whitehat spammer, using their own IP address space, it was easier to trace them than the usual zombie-burning spammer, and I helped out with one or two rounds of complaining to their upstream providers when they got kicked off of one and found another. It usually required a couple exchanges of "No, I wasn't complaining to you to get them to 'investigate' and take my email address off their list, I was complaining to you to get you to cut them off unless they stop spamming entirely, which they're still doing, and I won't give you the email address they spammed, just the headers, and by the way they appear to be abusing a supposedly-inactive BGP Autonomous System Number" until they were cut off. Companies that *are* trying to hide are much tougher to get rid of.

Spews

[Trillan]

Spews -- love it or hate it -- is all about making hosting spammers more expensive to ISPs.

Personally, I find that as a side effect it it an incredible tool for moving spam from my inbox to my junk mail folder.

Breaking the End-To-End model is EVIL

[billstewart]

Blocking Port 25 outbound for everybody is irresponsible, mean, nasty, evil, and a bad idea, just as blocking Port 80 inbound or Port 25 inbound is mean, nasty, evil, and greedy. It's breaking the end-to-end model that the Internet is based on. Port 587 is a partial workaround - it lets you take your perfectly capable well-administered machine and connect to some service provider who may or may not be more competent than you just to get around a broken ISP.

However, there are ISPs with a middle-ground approach - Port 25 outbound is blocked by default, and you can turn it on by going to the administrative website and doing enough login/password/turing-test authentication to show you're not a zombie and choosing that option, along with whatever other firewall options you want. That's reasonably responsible, both to the Internet end-to-end model (it's letting you set the "ends" of your network flexibly) and also to the anti-littering needs of the public. It means you're not being dishonest about claiming to offer "Internet" access when actually selling "walled garden" services, but it means that people who really don't plan to run real email systems don't need to worry quite as much about their machines being abused.

Re:Breaking the End-To-End model is EVIL

[amuro98]

I fail to see how default blocking outbound port 25 traffic is "mean, nasty, evil and a bad idea" when it's a safe bet that over 99% of the users of the internet don't know about, don't care about, and just don't need such a feature.

No, such a thing isn't going to be a cure-all for the spam/virus problem, but it's a simple thing that all ISPs should be doing and will have a positive affect on the internet as a whole.

But we've still got major providers who are complaining that such a move would cost them too much in support calls, and so their network remains an veritable overflowing sewer of garbage.

a serious problem

[cg0def]

Spam has been a huge problem for quite some time and the way that AOL deals with it is just shameful for them. I can't send emails to aol users from my sendmail server because AOL recognizes it as junkmail and refuses to accep it. Come on what's next blocking all OSS mail server just because people that uses them pay no royalties? AOL needs to seriously adjust their filter or maybe their spam strategy.

Re:a serious problem

[cg0def]

Oh yeah I almost forgot AOL's servers also block stuff like edu accounts and other very closelly monitored and well administered domains. Blacklisting and edu account must be the dumbest think that I have ever seen. First of all those accounts existly only for as long as you are part of the institution and I have never heard of any spammer using an edu account. Even if you hijack and edu account as soon as the admin sees that 500 emails and up on a given day from the same account the account will be blocked. So thanks AOL for providing the world and all the people that depend on your services with some more crap.

Re:a serious problem

[wheelgun]

First of all those accounts existly only for as long as you are part of the institution and I have never heard of any spammer using an edu account.

A friend of mine used his uni account for many years after graduation. My brother used his for three years after graduation. I'd have to say you're right about *.edu domains being low-risk spam sources, but some folks do retain the use of their uni accounts for some amount of time after they set off for parts unknown.

5/hour is Too Low, Arbitrary

[billstewart]

A normal Sendmail implementation will create a separate Port 25 connection to each destination mail server, and may group a message to multiple users at the same destination domain or MX together into one transmission. If you send mail to more than 5 people in any hour, that would probably incorrectly nail you as a spammer. Even mail to all of my family would blow through this - a recent family reunion message went to about 30-50 people. I also run a couple of mailing lists for small social groups; one of them has about 250 users, and another one used to be about 1000, though they ran on other people's DSL lines rather than my own. Also, I'm perfectly capable of writing more than 5 rants an hour on some mailing lists - or when I've had my laptop on the road for a day and get back to the DSL and transmit all the mail I've written, it can be quite a lot more.

Re:5/hour is Too Low, Arbitrary

[pthomsen]

I'm glad to hear that you are capable of sending more than 5 messages/hour. ;-)

WRT the lists, etc. I was actually thinking of counting the incoming connections to the MTA (ie. you connecting to sendmail), not the outgoing (sendmail connecting to the world). Of course this is not fool proof, and perhaps 5 is not the right number, and maybe an hour is not the right time unit. Maybe it should be more like 'if you send more than 5 messages/hr for a period of 12 hours from your PC, you will be blocked'.

Traditional .forward is dead. Get used to it.

[KMSelf]

See Joe St. Sauver's The Impending End of Traditional .forward-style Forwarding. This is a growing problem, and traditional .forward is dead.

Joe runs network ops for University of Oregon, and has a good set of for-the-public articles at his website.

These days, however, how your mail gets routed is a very important issue for one simple reason: deliverability.

"Deliverability" is a term that has been coined to capture the problem that sites increasingly face trying to get legitimate mail through anti-spam measures. Trying to send mail that includes bad keywords? You may have "deliverability issues" at sites that use content-based filters. Had an accidental configuration problem that resulted in spammers exploiting your system for a while? You may be listed on one or more DNSBLs, and have "deliverability problems" as a result.

Deliverability is particularly closely tied to reputation. Every piece of mail that gets sent from your campus, whether created by a local user or forwarded by that user to another account using a dot forward forwarding entry, "counts" against your reputation at a growing number of providers. As far as they can tell (and remember, this is all automated because of the hundreds of millions of messages that are involved), when you hand their mail servers a message, "you" sent them those messages, even if all you did was innocently and dutifully forward the mail on behalf of one of your users, as instructed by that user's .forward file.

If you're going to emit it (allow .forward), then you're going to have to own it, and if you own it, you're going to have to deal with incoming spam. Unfiltered .forward is a dying breed. Either find an alternate solution, or filter the mail.

You want 'em by ASN?

[KMSelf]

Spam received by ASN. Not entirely current ATM, but recent.

For the past year, about 15% of all spam I see comes out of AS4766 - KORnet. The of the top 4-5 rest bounce around Chinese IISPs, Telstra, SBC, Tiscali, AT&T Worldnet, and account for 25% of all spam received. The problem is highly concentrated.

You can also check postings to NANAS (news.admin.net-abuse.sightings). Or just check at Spamhaus for ROKSO spammers and their ISPs.

Unfortunately, for some people (and the ISPs they run), there is no shame.

my ISP does care

At work, the ISP does care. They have installed spam filters, but, they charge extra for EACH account you want filtered to enable the said filter.

In a big offcie environment, this is big bucks for big stupid companies that dont know better than to swtich ISPs.

Point missed

[adeydas]

In the above scenario, poor surfers won't be able to get mortage help and porn teens in their mailbox...

any resources?

So I run an email server for some friends and myself. I use Exim, Spamassassin (just tags spam) and (optional)RBL lists to block known relays.

How can I say, stop some "hacked" windows PC on comcast (as an example) from connecting directly to my mail server and sending spam to one of the guys on my system? It's almost like the spam program/trojan/whatever does an MX lookup and connects directly to the mail server for the domain.

For example, if say, I host email for the domain example.com and a user has an account "joe@example.com", how can I stop someone from connecting directly to my mail server and sending spam to that address? Can you? From what I can tell, blocking that would also block legit email from coming through.

Any resources available for Exim (I have looked over the docs, and googled some, but nothing seems to point to what I am looking for) to stop this?

I get a lot of DHA attacks, but almost all are blocked by the RBL lists (when those users opt in).

The biggest annoyance is one of my friends that just forwards everything to his AOL account. SO I get tons of notices from AOL when he "reports spam" to them. I can go back through the logs, see where some cable or DSL connection was made and sent the users 4-5 spams at a time. These instances, it's all to one email address, not a DHA.

Pot meet kettle

[RehabDJ]

This from AOL, who as some of you may recall was ("in it's past") caught selling email addresses of subscribers simply as part of their marketing scheme.

Re:Pot meet kettle

[RehabDJ]

...and sense a good deal of spam still comes from free email providers that use no validation for how many addresses are taken from a single IP (i.e. Yahoo, MSN or and AOL with their SPAM in your snail mail box), I have long ago blocked these domains from my company email servers greatly reducing SPAM. Maybe I'm just bitter because AOL doesn't send out floppies you could actually use anymore. Now if they started sending out their free trials on CD/RW maybe I'd back their hypocricy.

I'm sorry, but....

e-mail has 2 parties--a sender and a reciever. I'm sure it's good for the ISP's to address this in the "stop it at the sender" level--this cuts network traffic.

But if you're an ISP that wants to protect your users, why are they not talking about the recieving end? How hard is it to simply not accept non-reverse-DNS'able e-mail? Or at least automaticaly flag such mail as possible spam? What's hard about greylisting?

What's so hard about, instead of complaining that OTHERS are not doing all they can to configure their networks to keep spam down, configuring YOUR servers not to accept it? What's wrong with this picture?

I'm all for network responsibility, but come on--this is like complaining that ISP's should be doing more to knock virus-infected machines offline instead of getting a firewall and installing a virus scanner.

Readable version

http://shit.slashdot.org/article.pl?sid=05/01/24/2 38252

Informative my bu11

Thanks for the informative post. I was about to netblock this ISP, until I saw this message. Now I will give you a netblock and a post to all the DNSBLs a complaint just for the general purpose of your attitude.

Most of the SPAMs come from Philadelphia.

Telstra and spam??

[Goonie]

Could you provide more details on spam coming from Telstra?

Telstra is the majority government-owned telco in Australia. Let's just say if Telstra is one of the world's biggest spam sources, it might be a story that could interest the mainstream media.

Is it just that Telstra isn't blocking mailouts from zombiefied customer DSL machines, or is Telstra taking money from spammers themselves?

Re:Telstra and spam??

[KMSelf]

Details... Well, they're floating around a fractional percent to nearly 6% of spam, by month. I label mail by ASN as I report it to news.admin.net-abuse.sightings, so you can search for ASNs 1221 and 4763 there. Bounces around a lot. July was about the worst, since it's been about 0.1-0.2% of spam (2-87 messages).

If you have anything else in mind, drop me a line (email works). Note that Telstra's pretty much in the same boat as most mainstream ISPs. Given Oz is a moderately-sized, but advanced, economy, and Telstra's got a monopoly on network services, it's not entirely surprising that the share is up there.

Again, Spamhaus provides per-ISP stats, and might be a good place to start your research. I see one current ROKSO listing. And there's a current news item, Follow Australia describing progress in killing AU spam. Though other initiatives with Savvis and China have produced few tangible results.

Spam is preventable, except its hard to do RIGHT!

[dspisak]

Sysadmins need to setup their mail servers more carefully. This I grant you is true.

However, this doesn't get to the core reason of misconfigured email servers.

It's TOO FUCKING HARD TO CONFIGURE SECURELY.

What do I mean when I say this? Easy.

You have your own Linux box lets say. You get yourself a domain name and host it in a colo somewhere. Now you want to run an MTA. Sendmail? Postfix? Exim? Qmail? Something else? Are you going to use the precompiled version that came with your Mandrake install? Maybe you want to compile your own MTA because the prepackaged options don't fit what you are trying to do.

For example, I have an OpenBSD 3.6 box I run. I run a few small domains on it of which one has actual email accounts on it. I wanted to run a MTA on the box that was secure and would combat spam and viruses for me and the few other users. I've run other Linux and BSD boxen before and know what I am doing fairly well I think.

However, getting Postfix 2.1 installed along with Amavisd+ClamAV and DSPAM turned out to be too much for me to bite off in one fell swoop. There were some websites dedicated to configurations *similar* to what I wanted to do, but nary a one was *exactly* what I was looking for, forcing my to try and synthesize multiple howtos and other docs into something that would work for what I was trying to do.

Oh and on top of all of that I wanted TLS authentication along with SMTP AUTH and SSL encrypted POP3/IMAP services.

Setting all of that stuff up is a fucking garanteed trip to your medicine cabinet for some Excedrin to work out the kinks.

SASL2 is a fucking joke. It is poorly documented and quite frankly, needs to be rolled into the damn MTA provided doing so would make getting it to WORK *easier*. You end up having to troubleshoot problems between components of your MTA and filters that it gets so complex it will make you want to just throw your hands up into the air and say "FUCK IT" and just run the MTA without any of the fancy shit. Getting TLS installed was easy by comparison....getting a SSL secured POP3/IMAP was a bit harder due to having to dick around with OpenSSL and creating self-signed certificates for the services to use.

Then you had Amavis and ClamAV...which amazingly enough were easy to setup and use I thought compared to the rest of the stuff I was trying to accomplish.

Then came getting Amavis to feed into DSPAM (and no, not through Amavisd-new's own DSPAM mechanism, you loose all the flexibility of DSPAM with that method) which partially worked and then stuff started to really fall apart and fail for reasons that I couldnt troubleshoot properly due to not having a full understanding of how DSPAM is working (I had previously been using SA but I wanted to get away from Perl as much as possible as well as try to learn DSPAM). Throw in problems with delivery because Procmail seemed to be hardcoded to deliver to /var/mail/spool instead of Maildir format style in user homedirs along with some permissions errors and whatnot and I finally gave up on DSPAM and just resigned to using the rest of the tools while trying to figure out DSPAM on a test domain that doesnt carry important email for me so I dont get an ulcer while trying to make the whole solution work.

If its that hard for someone who generally knows what they are doing and WANTS to be secure and safe and spam free imagine how it is for the less knowledgeable people when they start to readup on how to do some of this stuff. It's going to sound like they are being asked to learn quantum physics just so they don't have to hear about Cilais and Viagra and Hot Teen Sluts anymore and they will just decide to live with the problem because its too hard to learn how to configure all this crap correctly AND securely because there is hardly any good single repository of known good spamfighting configs for the different MTAs.

If there is a site out there that acts as a repository of all the "Here is how to configure Postfix/S

Voluntary mail system test and certification

[Midnight+Thunder]

Maybe what we need is to put together a standardised mail system test kit. This kit would test for certain common abuses of mail systems and would be designed so that mail server administrators can test their own system. If the system passes the tests then it can be 'certified' as having passed the test. The certification could be "self-certified", "third-party certified" or "official certifier certified" and if it is the latter two have the name of who certified them. By having such a process in place ISPs can then require people using their own mail servers to pass this test before being accepted on their network and also reassure people that they themselves have passed this test.

Well that's the idea anyhow, its probably still open to abuse, but hopefully it could be a start to something?

Boneheadedness.

[edunbar93]

The most pathetic thing of all is the check-the-box form that people keep posting on Slashdot purporting to show that a particular method of ending spam won't work. It's become a substitute for intelligent discussion. People just check the boxes, and don't bother to justify which ones they checked.

Wow, it's amazing. You must not have been on the internet long, because you are utterly blind to the *reason* that people use these checklists. It's the same reason people create FAQs, and insist that people who ask questions that have been answered before, read them to find the answers. It's because everything on the list has been argued to death millions of times in thousands of forums, including this one.

You are not the first one to come up with your idea of How To Fight Spam. You won't be the last. It's been done before. But since you beg for understanding, here's why your idea won't work.

Your idea will stop spam for two weeks and then we'll be stuck with it. Once the massive undertaking of switching to your secure key infrastructure is completed overnight, trillions of dollars spent, and countless hours of sleep lost, you will quickly find that just like today, every server in the world will be playing catch-up trying to find and blacklist all the boneheaded servers that your scheme specifically allows for. And users will forever be trying to update their whitelists for each incoming message that arrives from an anonymous source. Either that, or they will find that every time they try to get a computer to send them e-mail, they will find that it can't because the entire point is to make automated e-mail go away.

At the same time, you argue for what amounts to a centralized database of Good People (or even a decentralized database of Good People, it doesn't matter). What will advertisers pay to get access to this database? Who will be in charge? What will be their motivation? When will they start to abuse this massive power? These questions apply to both centralized and decentralized databases. Just like DNS can be used to attack systems, so could this.

Moreover, you are attempting to create a byzantine system with allowances for certain aspects of human behaviour. You think you have all the bases covered, but you do not. In any defensive mechanism, there ways to get around the defenses. People, being the problem solvers they are, will find them and exploit them. The very best plan is the simplest plan because there are fewer things to go wrong, but at the same time they also have the largest vulnerabilities. Because your scheme is so complex, it faces the two headed monster of unreliability AND vulnerability. If spammers aren't jamming it, then human error will ensure that it doesn't work at all most of the time.

The fact of the matter is that e-mail, just like regular mail, is supposed to be open to everyone. That means sending messages from any source to any recipient is supposed to be possible, and should be. The problem is not due to its open nature, but that the same automation that makes it cheap and easy also makes it cheap for abusers to exploit on a grand scale. Even if it were hard and expensive, it would still be a problem, just from different people - just look at the flyers you get in your regular mail. The only reason you don't get flyers for your local grocery store in your e-mail right now is due to how the first exploiters of this resource have made the practice a pariah among legitimate businesses. They are otherwise willing to spend millions every year to market directly to the consumer.

In conclusion, I think that your plan stinks. It's complicated, doesn't work in its intended purpose, and is horribly unreliable in concept, nevermind practice. Moreover, if you did the tiniest bit of research you will find that not only has the idea come forth before, it's been repeatedly struck down for all the reasons I've given. Your idea also demonstrates your complete lack of experience in these matters, and you should give up and find something better to do with your time.

We live in greedy world.

[bs_02_06_02]

There will always be someone greedy enough to host a spammer.

And, there's nothing to stop a spammer from starting their own ISP.

Once in awhile, I check the headers just to see where it's coming from. China is the place... I bet at least 1/2 of the spam I get at one email account is from China. A good size chunk of the rest is from cablemodem/DSL zombies.

if only the world worked that way...

[rich42]

OK - so if all the ISPs decided to get super-tough on spamming - spam would go away. It doesn't answer the question: why would they do that? There are already dozens of different SMTP blacklists banning ISPs that don't play by certain rules. I think it's helped - but it certainly hasn't solved the problem. from a pragmatic standpoint I think the best solution is to deploy "conservative" server-side filtering software to catch the stuff which is obviously spam. the users can then deploy the client-side anti-spam software that works best for them.

.ch is Switzerland, .cn is China

.ch is Switzerland, .cn is China; last time I looked, .cn had a far bigger phish and spam problem than Switzerland.

Indeed, the last live phish I saw was from .cn

Responsible ISPs shouldn't peer w/known spammers

[Mister+Mudge]

Passive blacklists don't seem to do much, except cause headaches for legit users whose emails fall into the black holes caused by spammers.

Apropos this article, I think the solution is that ISPs should refuse to peer with other ISPs that tolerate spammers on their nets. If no one will peer with them, they'll go belly-up pretty quickly.

Re:Spam is preventable, except its hard to do RIGH

[El+Cubano]

If there is a site out there that acts as a repository of all the "Here is how to configure Postfix/Sendmail/Exim/Qmail/Etc to be secure and spam-free as possible" then I have yet to see it.

Would you mind posting the URL of the detailed HOWTO you wrote following your experience?

Seriously. I dislike seeing poeple complain that documentation sucks for open source software who then go to lots of trouble and odn't document what they do. Even creating a script(1) of your session and posting that would be useful.

I have started being much more proactive about documenting the stuff that I do. When I document something I think may be useful to others I post messages announcing it to places where I think the users might benefit from it. You should do the same.

When is it just free speach not spam?

[clifgraves]

I work with a lot of small nonprofits who use email to advocate for their cause to MEMBERS AND FRIENDS who sign up for their lists. BUT many ISPS now use a simplistic definition of spam as "any large amount of email at one time". Many ISPs are not responsive to pleading by the orgs that they are a special case and in the case of high speed vendors they are often the only game in town. While real spam is a pain, we must actively protect the free speech rights of legitimate causes on the internet.

Wrong, wrong, wrong

[tirnacopu]

This is just shooting the messenger plain and simple. Any ISP having a >mbit connection in some obscure city ten thousand miles away in a country you cannot reach is a possible victim of SPAM. I'm talking zombie computers, rootkits and the sort. I'm talking $100 per month sysadmins with 10 computers connected. This is all it takes for an automated scanner to deliver its adverts. It may take two hours max until that network vanishes from the Internet, but it's too late. How many such networks exist? Plenty. I can find 50-100 hosts around me using just Nessus, Pepsi and a wireless card by midnight. The place to look if we want to eradicate SPAM is always at the money source. Blaming the carrier always triggers false alerts and useless restrictions (I still can't persuade my provider to allow acces to port 135 between our hosts dammit).

Why do you care about port 25?

[Constantin]

It is pure silliness to use port 25 or any of the other, open, non-encrypted ports/transfer protocols for e-mail, etc. when connecting to an entity on the internet. Any compromised machine between you and the colocation server can sniff out the password and login, leaving you with a huge security vulnerability.

SSL is free, secure, and it just plain works with any modern e-mail server/client. No ISP I know of blocks the secure ports because zombie spammers haven't found a way to abuse them yet.

If SSL is not available, or not reliable, there are a number of alternatives, such as using SSH to create a localhost tunnel to the Colocation facility, then making your plain-jane port 25 request while shielded from prying eyes.

SSH also allows you to connect with any of the other legacy transfer protocols, while remaining secure in a tunnel. Many web-hosting companies do not allow SSH connections because they have clueless sysadmins, but SSH is free and with the right hoster, it works great.

Re:Why do you care about port 25?

[sjames]

*SIGH*

I said it is for TESTING. An SMTP server accepts traffic on port 25, so I need to TEST what it will do with it. A connection from localhost behaves differently than a connection from outside. If I want to see what it will do with a connection from outside, I need to connect to it from outside!

I know all about SSH tunneling, (including the use of back to back pppd over an ssh connection to create a VPN) and SSL connections to mail servers. (That's what I use for regular emailing).

I'm talking about TESTING.

workaround

[Frogg]

i have a workaround...

sure, it doesn't fix the problem with ISPs blocking port 25, but it'll allow you to test your mail server--and more.

i assume that the mail server you wish to telnet into is yours, and that you can configure it as you wish.

on your mail server, use iptables to put in a simple port mapping from say port 8025 to port 25, and use this when needs be. (fwiw, a port mapping of this kind is what we have in place on our mail servers)

this will allow you to telnet in and test all you like.

also, as you're now making SMTP available on a non-standard port, this also allows your clients/customers to access your SMTP services even if they are using an ISP that blocks port 25--providing they are smart enough to configure their email client with the information you provide.

(this above point is useful if you have a client who runs mybusiness.com, but wishes to send mail on a dial-up connection /without/ using the ISPs mail server--AOL aren't the only ISP to force all port 25 connections to their own mail server, but some ISPs won't even let you relay mail from mybusiness.com even after you've authenticated!)

and, of course, even if you add a port mapping on a non-standard port, your SMTP services are also still available on the standard port 25.

Re:workaround

[sjames]

on your mail server, use iptables to put in a simple port mapping from say port 8025 to port 25, and use this when needs be. (fwiw, a port mapping of this kind is what we have in place on our mail servers)

Actually, that does go a long way towards solving my problem. It's a shame it's necessary to route around damage like that, but there it is.

Thank you for making a useful suggestion :-)

Verizon: working hard to prevent you doing.....

[Frogg]

FWIW, Verizon are currently being totally OTT with their so-called spam control (i.e. email blocking) policies--they are currently blocking mail from most of Europe in a very ham-fisted fashion.

read more about it here:
http://www.theregister.co.uk/2005/01/21/verizon_cl ass_action/

One simple solution that seems to work

[gpuk]

I use an ISP in the UK called Nildram. They are a well respected business grade ISP that has been around since the mid ninties (possibly earlier).

They enforce a very simple yet effective system. By default all users have port 25 blocked. If you wish to host your own mail (like I do) all it takes is one email to tech support. They run an automated open relay check and if you pass, the port is opened. They guarantee that a request for port 25 to be opened will be honoured within 24 hours.

Blocking port 25 by default goes a long way to mitigating the effect of zombie pc's acting as relays for spammers. As far as I can see there is no downside. Those that need port 25 open are given it, those that don't aren't - simple and effective.

Thanks...

[Constantin]

... I had no idea that connections via a localhost tunnel behave differently from an outside connection attempt, so I learned something today.

Furthermore, I didn't want to imply that you didn't know what you were doing. You obviously do...

However, I still marvel at the number of ISP's, webhosters, etc. that have their customers login with non-secure connections on networks that are known to be compromised with sniffers, etc. Until the day comes that SSL/SSH connections are mandatory for e-mail, uploads, etc. it'll be far too easy not to exploit these obvious loopholes. If it were up to me, ports 25, 110, etc. would be retired and replaced with authenticated connections.

Re:Thanks...

[sjames]

... I had no idea that connections via a localhost tunnel behave differently from an outside connection attempt, so I learned something today.

It behaves differently since connections from localhost imply that who or whatever made the connection is authorized (since that would require logging in).

However, I still marvel at the number of ISP's, webhosters, etc. that have their customers login with non-secure connections on networks that are known to be compromised with sniffers, etc.

It would be nice if all logins happened through secured connections or using key exchanges. Unfortunatly a lot of software out there has no clue about that and 'requires' plaintext login to imap or pop. I suppose the plaintext is used because so many clients default to it.

If it came from your network, it's your spam

[Arrogant-Bastard]

It doesn't matter if it's a spammer on your network, or an insecure mail server, or an exploited Formmail script, or a hijacked Windows box, or anything else: if you can't keep your network from sending spam, then you need to disconnect it from the Internet until you can.

A corollary to this is that if you're supporting spam -- providing DNS, hosting a web site, handling a mailbox, providing a dialup account, routing traffic, anything: that's your spam, too. You need to stop. NOW.

It really is as simple as that: spam doesn't just fall out of the sky and magically land on the Internet: it comes from hosts, and hosts are on networks. And it doesn't matter whether the people who are permitting this to happen are doing it (a) because they're clueless or (b) because they've been paid to look the other way: the result is the same in either case.

Accountability for this is long overdue, but it's coming:

• Call for Internet Death Penalty: Burstnet/Hostnoc
• Call for Internet Death Penalty #2: Optigate/Optinrealbig
• Call for Internet Death Penalty #3: Hopone/Superb

That's how it's going to have to be, because the people who are responsible for spam won't have it any other way. We're long past the time when we asked nicely: we've arrived at the time where anyone spamming or supporting spam -- and who won't stop immediately -- needs to blacklisted forever.

Re:Spam is preventable, except its hard to do RIGH

[dspisak]

It's something I am working on, but I can't post it until I've got all the kinks worked out.

Bandwidth is Free - Abuse Handling Isn't

[billstewart]

Bandwidth is pretty close to free - if you can afford to have a customer running BitTorrent or doing lots of web surfing or running a web server or running a legitimate mail server, you can afford the bandwidth the same user uses as a spam-relay zombie, and it's actually cheaper because they're not using your mail servers. It's especially true for asymmetric media like ADSL and Cable Modems - the 128kbps or 384kbps upstream bandwidth is a lot cheaper than the 1.5 Mbps downstream.

Handling abuse complaints from other carriers and random internet users and having your customers bitch you out because your IP address space is on eleventy-three different blacklists which kills their legitimate email, however, is _not_ free :-) If you're an ISP, you've got an incentive to discourage that sort of thing. Unfortunately, if you mindlessly block Port 25, you're breaking the end-to-end principle that makes the Internet friendly to creative users as opposed to couch-potato consumers, and you want to keep them. So you need other solutions. Some ISPs have a policy that Port 25 is blocked by default, but the user can enable it with their regular options-management web page. That's sufficiently friendly to Linux users who *want* to handle their own email, while blocking zombie spam from people who didn't know they were running an SMTP system.

Pay phone unprofitability and Drug War Correctness

[billstewart]

The reason that pay phones don't accept incoming calls is primarily that they don't make any *money* on incoming calls, and secondarily the political correctness of harassing people who use or sell politically incorrect drugs. (Your local convenience store, where the pay phones don't accept incoming calls, sells far more dangerous drugs, tobacco and ethanol, than the drug dealers they're discouraging.) Pay phones make money by charging a lot for making outgoing calls.

Political Correctness wouldn't be all that effective if pay phones made money on incoming calls, but they since they don't, it's a good enough excuse for the pay phone company, who would otherwise be criticized for being hostile to poor people who use pay phones and travellers without cellphones. Besides, by now, drug dealers can get cheap anonymous prepaid cellphones, so there's no need for them to use pay phones to return pager calls.

Answerbots as a substitute for abuse handling

[billstewart]

For most ISPs, 95% of their spam complaints can be handled by an answerbot that sends a "thank you, we'll check into that spammer and bust him" response to complaints, and 99.9% can be handled by a followup %s hours later saying "We checked into your complaint and we're closing that spammer's account", and it's only the 0.1% who'll actually bother checking (at least unless the spammer repeatedly targets the complainer using the same name.) If the spammer list-washes complaints, either to take complainers off the list or at least to use a different name to spam them with next time, it mostly goes unnoticed in the flood of other spam.

Complaints from actual ISPs are a different problem, particularly complaints from your upstream's abuse department. But that just means you need to make sure any of your spammer customers try not to spam the wrong people.

Cynical? Me? What????

Zombies vs. Open Relays vs. Cracked Servers

[billstewart]

• Once upon a time, cheap dialup accounts sending lots of spam before they got shut down were the big threat, and forcing outbound email through rate-limiting servers would catch most of it, though they often weren't run as well as you could run your own machine.
• A couple of years ago, Open Relays were the big spam-forwarding threat, and checking for open relays would catch most of it.
• Then Open Proxies were the problem, though they're harder to check for.
• Now Zombies on Cracked Windows Machines are the problem.
• Next year, Something Else will be the problem.

Cracked Email Servers don't seem to be a big problem, except for occasional open relays that are easy to detect and close - so allowing users who knowingly run their own servers to send Port 25 mail isn't a big threat (unless they're actual spammers, in which case you hunt them down and kill them) - it's much harder to crack email servers than random Windows boxes, and there are a lot fewer of them. Cracked Windows boxes running Zombieware normally aren't bright enough to request that the ISP enable port 25 - so if the ISP is blocking outbound Port 25, or transparently forcing it through rate-limiting servers, you can catch most of that spam.

No need to block 587/etc.

[billstewart]

• Port 25 is used to deliver messages to destination mailbox servers, and can also be used by non-self-sufficient email clients to hand mail to SMTP servers that are smart enough to locate the destination mailbox server and keep retrying if the initial delivery fails.
• Delivering unwanted messages to destination mailbox servers is a fundamental requirement for spam. The people who don't mind interfering with legitimate self-sufficient email MTAs/MUAs/peers if it helps reduce spam use Port 25 blocking as a tool for reducing spam.
• Submitting email to an intermediate SMTP server isn't spamming, because it's not delivering it to the recipient who doesn't want it. The email itself might be legitimate or might be spam, and the intermediate SMTP server might do spam filtering or do rate limiting to reduce the amount of spam that gets transmitted.
  
• Traditionally, mail from a non-self-sufficient mail system to a smarter mail system used unauthenticated Port 25, just as delivery did, but the kinds of people who don't mind collateral damage in the cause of spam prevention usually avoid damage by permitting Port 25 submission to "official" SMTP servers.
• Mail submission from an unknown or anonymous source might be spam, and also might be forgery, and also might be consumption of resources by people who aren't paying you for them, so SMTP servers often authenticate mail submission, either by SSL or other submission protocols or passwords or static IP addresses or carefully tracked dynamic addresses or sometimes even untracked dynamic addresses. Anti-spammers almost never want to block authenticated email, unless of course the user has been identified as a spammer. Even if some customer is using an authenticated submission protocol to reach a mail server outside the ISP's domain, that's Somebody Else's Problem, and that outside mail server can be held responsible for any spamming.

IDing customers is hard - Obfuscation is *easy*

[billstewart]

• Identifying customers is *really* hard, which means that it's often not cost-effective, unless you're delivering an access line to a physical location. Credit card numbers don't work well, though they're certainly a start - criminal spammers will use freshly stolen card numbers, non-criminal spammers will just use cheaply obtained debit cards or one-use numbers from privacy-protecting credit card companies, etc. Customer name is useless - businesses can call themselves almost anything they want. Physical address? Mailbox companies are easy.
• Creating corporations is cheap and convenient. I've seen at least one spammer whose whois information was a "suite" number at "The Company Corporation" in Delaware, which is the canonical place to get a small Delaware corporation for ~$100. if you'd tracked them down and sued them for everything they were worth and had John Ashcroft burn their incorporation papers at the stake, all they'd be out is any money they hadn't spent yet, plus another $100 for their next disposable corporate shell. And that corporate shell might do business under a lot of names.
• While it's not always easy for consumers to really check the legitimacy of a "business", the kinds of consumers who would even think about doing so aren't the problem. The consumers who buy Herbal Fake Viagra and give all their financial information to "mortgage" companies that send them ads on the net and spend lots of money helping Desperate Nigerian Housewives are the problem.
• The registrar business is very decentralized now, plus see the previous comment about "it's hard to identify a customer". Furthermore, the registrar business is cheap and highly automated with very little profit margin about the $6 that the Registry overcharges registrars, so registrars can't afford to do real checking, and many registrars make money by letting their customers (e.g. ISPs, hosting centers, etc.) do that work by reselling to end users - and those resellers have even less incentive to spend money checking who they sell the names to. ICANN doesn't have much control over the process, and the way much of it remains stable today is the counter-arguments between "Let ICANN take over from Verisign? Bwah-hah-hah, you're crazy, that'd be even worse!" and "Kick out ICANN? Only the US Federal Government could really kick them out, and then you'd have Ashcroft-lite running it!"
• DNS support is quasi-separate from DNS registration - any ISP that's spammer-friendly can easily run DNS for the spammer as well, but while it would be nice if non-spamhaus ISPs were better at kicking off known spammers, there's a lot of risk in letting that be decided randomly, and anything that makes it easier to kill the spammers makes it easier to hijack domains.

SPF for Banks, not so much ISPs

[billstewart]

SPF for ISPs may be somewhat useful, but not that much - it's mainly the free email systems like Yahoo that want to cut down on complaints about spam with forged addresses. The big impact on spam would be for banks, e-gold, and similar financial institutions that have serious phishing problems. Getting four or five of the biggest ones to do SPF or DomainKeys or some equivalent would make one of the major sources of spam that I get unprofitable.

"Functioning" is meaningless for postmaster/abuse

[billstewart]

Sure, you could force domains that accept any email to accept mail to postmaster@domain. That doesn't mean that mail to postmaster gets read by a human, or that that human does anything useful with it. Similarly for abuse@. A domain administrator that doesn't want to do anything useful but wants to cut down on complaints could take care of 95% of responses with a replybot that acknowledges receipt and says they'll get on it right away, and could take care of 99.9% of problems by a replybot that also follows up mail to abuse@ with a "Thank you, we've resolved the problem by cancelling that user's account", even if it's not at all true.

Spews - Hate It - Too Aggressive

[billstewart]

Spews may or may not have cleaned up their act, but they were always really heavy-handed with the collateral damage and not worried about false positives. It's certainly not something I could trust to junk a message for me, even after whitelisting my friends. On the other hand, as one component to SpamAssassin weights, it's probably not too bad, as long as it's not taken too seriously.

Re:Spews - Hate It - Too Aggressive

[Trillan]

Well, I use it and assign a very high score to it. Thus far, it's never led to a false positive.

Frankly, anyone I want to deal with is intelligent enough to investigate their host before signing a contract. You wouldn't move in next to cocaine dealers or a whore house, why would you use a host that supports spammers?

Real Mailing Lists and Clueless ISPs.

[billstewart]

There's a fairly simple, if not painless, solution to the problem, which is not to use clueless ISPs. No matter what town you live in, there's an ISP you can use that's not clueless - it may not be in your town, but if you've got an internet connection big enough to run a mailing list on, you've got a connection big enough to SSH out to somewhere else, and if your local ISP is too clueless for your mailing list to work, they're probably not the place you want your web page either. Worst case is you might have to spend US$20/month to get an account on a better ISP, and if you work with a bunch of .orgs, you can often use that account to support all of them.

One big difference between small ISPs and big ISPs is the amount of personal attention you get, and even though the small-ISP business in the US is retrenching a lot, there are still a few thousand of them out there, plus there are probably also thousands of other service providers who use colo or hosting services to provide customizable support to end-users, often cheaply. If you can't get personal attention, and you can't get left alone, and you can't get whitelisted, there are *lots* of other ISPs to go to. (Getting un-RBLed is a separate problem....)

The proprietor of the ISP where my main mailbox really lives has a heavy degree of clue, and is someone I see socially (I'm still paying the low price that he started charging for accounts when the machine in his bedroom was transitioning from a home box into a business, but regular accounts are cheap :-) The ISP I get my static-IP DSL line from still supports shell accounts for users and SSH access along with their dial service for $18.95/month (sonic.net). Conveniently, the ~250-person social-announcement mailing list I run is on a machine that uses the ISP where my email is (it's nice to be in the Bay Area), and the machine that the list used to be on uses a nationwide DSL provider (Speakeasy.) The ~500-person list I used to run on somebody's bedroom machine on a different DSL provider never had any problems with getting spam-blocked (I think the reliability problems were more with the hardware than the DSL provider, but they were all "access to the machine's dead again" rather than spam-blocking.) And that's not even counting commercial mail hosting services, or things like yahoogroups if you don't need privacy.

Agreed, many of these folks posting are uninformed

This discussion is supposed to be about spam and how ISP are irresponsible. Many of the ideas and posts here have utopian merit, but lack a basic understanding of how mail servers work.

For those that don't get it:

All back-end mail traffic (mail server to mail server) is sent and received between mail servers using port 25. There is no authentication required for mail server A to send mail to mail server B over port 25. Even if this traffic could be piped over a secure channel, you still can't require authenticaion. As long as you don't require authentication for mail servers to talk to each other (I don't see how you ever could), spam is going to be a problem.

Bottom line (and this will only help prevent spam, not eliminate it):

1) As gpuk stated...ALL ISPs should be required to block outbound SMTP (port 25) traffic from their user's host machines, unless it is destined to a known-to-be-safe ISP provided mail server. These known-to-be-safe SMTP servers should require TLS encrypted authentication before mail can be sent to them by its hosted users.
2) ALL ISPs should be requird to not have open relays (most don't or they would be killed by spam traffic once it was discovered and they would be placed on black lists). This really doesn't need to be mentioned to ISPs, but does for DIYers setting up thier own corporate mail servers etc.
3) ALL ISPs should be required to have reasonable rules for sending mail. Only so many messages per session etc.
4) All ISP POP servers should be required to use TLS encyryption.

All of these rules can be easily setup in ISP firewalls and mail servers. If they refuse to do it, they should be warned and gradually shut down if they don't comply. This is just plain irresponsibility and greed on thier part. How much business are they going to lose? Only the spam friendly ISPs are going to lose out...and who really cares about them anyhow?

Comcast is one of the worst offenders....

Every day I get reams of spam, virus attacks and identity theft, all originating from IP's under Comcast's control. I have sent numerous copies to abuse@comcast; they do nothing! The spam attacks continue. They are interested in profit to the point of excluding corporate responsibility. Their corporate indifference to the criminal acts being conducted over their service, despite their awareness, makes them criminally liable in my opinion. I would like to see some major company sue them. Since this will never happen maybe they should be recipients of the seeds they have sown: I suggest that it would be interesting if their own network was brought down by spammers and denial of service attacks.

Good post, this IS what needs to be done.

Uneducated people and hacker types are not going to get this.