New Spam Zombies Use ISPs' Mailservers

RMX writes "CNet's reporting that the new spam zombie PCs are no longer acting as their own mailservers, but cooperate with the ISPs' recommendation that instead of running your own mail server, to use theirs instead."

Why aren't they using SMTP-AUTH?

[PornMaster]

I really don't understand why they don't just use SMTP-AUTH. This shouldn't be something that's such a huge deal... and certainly shouldn't come anywhere near what this guy said in the article...

"The e-mail infrastructure is beginning to fail," Linford warned. "You'll see huge delays in e-mail and servers collapsing. It's the beginning of the e-mail meltdown."

Re:Why aren't they using SMTP-AUTH?

[PornMaster]

Not only does it authenticate the user, it also provides a way to revoke authorization on a per-user basis in a way that still allows the user to receive a mail explaining why they're unable to send mail -- simply shutting off the user's internet access doesn't do this, and putting in ACLs to block only port 25 from their IP probably isn't practical on many ISPs' infrastructures.

This is why some isp's..

[lordsilence]

throttle the amount of e-mails a customer can send per time-period.. and the max amount of "BCC, CC" addressess.

It's just a hell and takes lots of time to go through contacting abuse-department of ISP's like AOL and Verizon who decide to block for very few spam-reports. Even though the damage of spambot-infested computers on your own network is limited.

Re:This is why some isp's..

[fimbulvetr]

Yeah unless the customer is large.
I tried this. I limited outbound emails to 1000 addresses at a time thinking that was very reasonable. Within a week there was a complaint from one of major companies that they couldn't send to all of thier remote offices. Sure enough, not only did they have more than 1000, they had 13,000.
I realize this isn't an everyday occurance, but this situation should show that using a limit fix is not a good solution.
Even doing a max-per-hour won't work. There are times when outbound email from a company can increase exponentially for legit reasons.

Re:Simple solution

[Osty]

It's a shame that people are so attached to their horrid Microsoft Outlook email client. Otherwise, two problems could be solved in one fell swoop: Have users SSH into the ISP email server, and use a simple client like Pine to send and receive their email.

First, this setup would enforce strong user authentication, as the parent wisely suggested. Secondly, it would eliminate that whole host of attacks against bad email clients (eg. Outlook) that the average computer user inexplicably blames on their ISP.

I'm going to assume you mean "Outlook Express" when you say "Outlook", otherwise your argument has no merit. Even then, Outlook Express isn't as bad as you make it out to be. For example, both Outlook and OE support SMTP-AUTH, via SSL or not (as well as both POP3 and IMAP-v4 over SSL). That addresses your first problem, which at this point is an ISP issue rather than an MTA issue. Your second point is really only valid for OE, and then only if you've never bothered to use Windows Update (in which case you're asking for other problems anyway). Outlook has blocked bad attachments since a service pack for Outlook 2000 (there have been two versions of Outlook since then, XP/2002 and 2003). Outlook 2003 (which is the only version I have installed right now, so I can only speak to other versions on memory) will also block malicious content in the body of the message itself (scripts, images linked to external sites, etc). If you're still getting infected by email viruses while using Outlook, you're either running a ridiculously old version, or you're explicitly overriding Outlook's protection mechanisms.

Moving everybody back to pine (or better, mutt, but that's my own personal preference) via ssh is not an acceptable solution. Forcing everybody through a webmail interface is only slightly better, but even that is not very desirable (see the new Outlook Live service from Microsoft that lets you read your hotmail email via Outlook rather than the web page, or RPC over HTTP in Exchange 2003 that lets you access corporate email without a VPN rather than using OWA).

Re:We're winning

[MikeBabcock]

This is a loss. The ISP *can't* detect this without huge amounts of effort *and* the probability of pissing off lots of customers.

PS, blocking port 25 for customers is just plain dumb -- I have a lot of customers that go on the road and don't want to reconfigure their laptop to use the local dial-up access SMTP server for two hours, then do again in the next city.

They just leave the SMTP set to us, and we have secure logins. Voila. Oh, but we can't use port 25 because a lot of ISPs block it.

Re:Not surprised....

[Sandman1971]

Depends how smart the ISP is set up. A smart ISP will separate their inbound and outbound servers, and only allow their own customers to connect to the outbound servers. An MX lookup would give the inbound servers, which customers would be blocked from using.

Re:Not surprised....

[mikeswi]

You really don't even need to do that much. Outlook and Outlook Express both keep all of their settings in the registry. All a virus needs to do is to parse the contents of a certain registry key.

I don't know if the login/password is stored there as well, but the server information sure is.

RFC 2476

[tepples]

I have a lot of customers that go on the road ... They just leave the SMTP set to us, and we have secure logins. Voila. Oh, but we can't use port 25 because a lot of ISPs block it.

You're using SMTP AUTH over TLS on port 587/tcp per RFC 2476, right? ISPs have fewer legitimate reasons (if any) to block 587/tcp out than 25/tcp out.

Re:violation of ISP contract?

[jessecurry]

We do this on our campus networks. Basically we get pissed off people calling us and we provide them with a disk containing a virus scanner(McAffee in our case) and some antispyware tools(Ad-aware for now, although MS's adware offering is looking surprisingly promising ATM) and a page with instructions on how to install the software and run the scans.
The pages even have lovely pictures so the users can't(read: shouldn't be able to once they have removed their heads from their asses) make a mistake.
When the user think that they are clean we rescan their network traffic and if everything checks out we place them back on the standard network.
Last year almost the entire campus fell victim to adware, spyware, and virii... this year only a handful. It seems to work. If they get re-infected they lose their internet access again.

Law is the answer and the answer is law!

[D4C5CE]

Right below "TFA", there's a link to Yet Another Interesting Article.

Just take a look at the statistics:

Europe has only had strict laws against junk communications for two years (Article 13 of Directive 2002/58/EC), they have only been in full force since November 2003 (and the provisions for criminal penalties are not even in place in each and every corner of the European Union yet) - but they mean pure and simple opt-in, and look how this continent's "spam output" already has become almost completely insignificant.

The U.S., I'm afraid to say, have put next to nothing in the way of these sociopaths: only a now-you-CAN-SPAM-more-than-ever Act that lives up to its name in the worst of ways, by legalizing most of the spam, enacting an unworkable opt-out onus on the users, and putting anti-spam warriors at the legal risk of interfering with (and being taken to court by the operators of) what is considered a legitimate "business model" except for some of the worst abuses - and for however little it is, all of this even an entire decade too late.

Reliance on technical solutions and minimal government intervention is just fine for many things - but it's failed in the fight against spam.

Here is how to do it:

Where the rights of the users and subscribers are not respected, national legislation should provide for judicial remedies. Penalties should be imposed on any person, whether governed by private or public law, who fails to comply with the national measures taken under this Directive.
(...)
"electronic mail" means any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient.
(...)
The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent.
(...)
In any event, the practice of sending electronic mail for purposes of direct marketing disguising or concealing the identity of the sender on whose behalf the communication is made, or without a valid address to which the recipient may send a request that such communications cease, shall be prohibited.

That's certainly nowhere near rocket science, and if the above looks a bit complicated, that's probably just because

• a directive is a (binding) template for lawmakers in all of the European Union's member states
• necessarily, the legal techniques as well as the "Legalese" itself vary between jurisdictions
• this is a great one-ban-fits-all provision that outlaws each and every flavor of spam at once

"First Amendment" implications: zero (and yes, of course there is freedom of speech in this part of the world as well, and even more of that speech could be heard if it wasn't drowned out by American spam - some of which comes relayed thru Asia of course) - it only bars some people from "pissing in everyone else's pool", but certainly not from speaking their mind!

There is nothing wrong with following an example that works so well, even if it is from Europe...

Call your congresscritter now to outlaw unsolicited commercial communications, place a hefty fine and jail time on the offenders, and put an end to these abuses before they put an end to eMail itself.