New Spam Zombies Use ISPs' Mailservers

RMX writes "CNet's reporting that the new spam zombie PCs are no longer acting as their own mailservers, but cooperate with the ISPs' recommendation that instead of running your own mail server, to use theirs instead."

Eh?

Is this just doing what normal email clients do already? Why didn't they think of it earlier?

Re:Eh?

[JPriest]

Or it's a sign SPF has an obvious workaround.

No, forcing clients to use valid SMTP servers is the most of the reason SPF exists. The point is, most security measures on SMTP servers are moot because they can work around them simply by running their own SMTP process.

The idea is to force them to adhere to using authorized servers that are actually under someones control.

Now things like shutting down open relays, smtp auth, send limits, outgoing filters etc. are not just a wasted effort.

Right now if an infected box on our network is spamming someone we don't know till they contact us about it. If we force them to have to spam through a mail platform in our control we can almost automate this process.

Re:Eh?

[drsmithy]

A quick name lookup on smtp.domain and mail.domain should find 99% of the mailservers out there.

The throttling is another issue, however.

Re:Eh?

[RT+Alec]

How many ISPs have SMTP+AUTH (or some other type of authentication, like POP-before-SMTP)? If they are not running a totaly open relay, usualy they just restrict access to their own IP addresses, and to their domain (e.g. '@comcast.net').

violation of ISP contract?

[Starbreeze]

Yeah, and then all those zombies lose their ISP accounts, and suddenly become much more aware of the need to secure their PC.

Re:violation of ISP contract?

[enosys]

That can also happen to zombies that send spam without using the ISP's SMTP server. If they do use the ISP's sever that should make the ISP notice sooner though.

Re:violation of ISP contract?

[xtrvd]

Telus, my ISP in British Columbia (Canada) already takes a fairly agressive stance on this situation. In the past few years, they have realized that their clients are idiots and will open up any attachments they get in their email clients, even those great ones with .scr's from v1agra@sh0p0ur31337store.ch.

In order to stop their networks from becoming ridden with viruses, they simply closed off the accounts of whom ever was infected. Sure people complained, but in the end, there were more people that were satisfied since their computer only needed to be infected with one virus for them to notice. Instead of having a computer with 20+ self-propagating viruses, the user only had one when they realized they needed it fixed.

Joe User's seem to ignore popups and slow-downs of their computers as long as they can still connect to the internet and check their AOL email. As soon as they're disconnected, they will call up the ISP and find out how to get their computer fixed.

If these ISP's can take the same stance against zombies becoming spam servers, it shouldn't be long until Joe User is forced to learn how to use a firewall to protect himself from being disconnected.

As soon as we have ISP's that are *more* responsible for the content going through their networks, we'll have a better internet.

Re:violation of ISP contract?

[CrackerJack9]

That would be great, but for some of the same reasons Joe User isn't already securing his PC is because he doesn't know where to start, let alone how to finish.

Let's say the ISP tells him to run ZoneAlarm (firewall for PCs), he will most likely end up just saying "Allow always" to any suspicious programs requesting internet access, or "Deny always" and he'll just have to call the ISP back to figure out why Windows can't open any TCP/IP connections....it's a great fix on paper, but I think there are a lot of other factors that need to be considered before you assume you can "just tell them to become computer security experts"

Re:violation of ISP contract?

[Seumas]

What kind of crappy ISP delivers messages containing *.SCR, *.CPL, *.COM, *.PIF, *.BAT and so forth to their customers?!

And yes, Joe User tends to ignore popups, because a lot of the "professionals" are idiots. We have a radio program in Portland on the weekends hosted by some "long time computer experts". Every time the topic of "how to prevent popups" comes up, the host insists that your web browser has NOTHING TO DO WITH IT. Popups are entirely a problem with your machine being infected and you need to install a good virus scanner to avoid them.

People have called up and said "no, I think they're talking about web popups that you get when you visit a website without a popup blocker". Rather than suggesting people use Firefox or something, he actually says "If you're getting popups, it is because you've done something wrong and aren't protecting your PC". He refuses to acknowledge (and has for many months) that if you visit a website without some form of popup blocker, you'll often encounter popups BECAUSE THE WEBSITE IS SENDING THEM.

I mean... it baffles me that people like this are being treated like expert professionals and they're misleading thousands of people in the process of pumping up their own misguided ego.

Re:violation of ISP contract?

[RollingThunder]

Heck, we had our Telus business ADSL shut down because somebody bounced through a wireless card on an XP laptop that the dumb**** marketing director had enabled the "provide access to the internet" or whatever it is via.

Our office was only on the 4th floor, and his system was right at the window, so somebody popped through and started doing crap on the Zone servers. Telus cut us off within a day, and I was damned impressed.

I was angry too - but not at Telus. At the marketing guy and myself (for leaving open outbound access). I fixed his system, and instituted "via proxy only" outbound for port 80, and no more problems.

Re:violation of ISP contract?

[xtrvd]

I agree with you on making everybody a security expert. People simply don't have enough time to learn how to use a computer, especially if they just want to check their email on it. But if they cannot use their computer without it causing problems to the rest of us on the internet by being a Spam server, they need to take responsibility somehow.

I'm going to go on a strech here. It's similar to driving a car (Please note, I said similar, not the same as). You recieve a license to use a car so that you can drive around in a controlled environment where other people reside: The public roadways. You can do what ever you want on your own environemtn (Own PC) just as you can spin doughnuts in your backyard if you really want to.

You get your license to drive on the public roadways (Networks) and if you choose to not lock your car, then somebody else will steal it and hopefully the police will either take your car away (take your computer away) or they'll take your license away if you were the one actually doing the infraction. (ISP disconnects you from the internet)

If you are caught doing something bad in a car on public roadways, you should be punished; if you choose to turn on that computer that is not secured in any way, shape, or form, you should not be allowed to take the use it. [Don't yell at me yet]. If you're not prepared to get into a car and harness its abilities, then you'll want to start with a car that's attached to a track, like those ones the 4 year olds use in amusement parks.
You can consider those tracked cars like Mac's; because with all due respect, you can't become a zombie computer without at least trying.

Until you learn to use a car, you'll never get a license to use it. Until you learn to use a computer, you shouldn't be on the internet.

My two cents.
Thanks for your insightful reply CrackerJack9.

Re:violation of ISP contract?

[ErikZ]

Yep. And the great thing about having a licence to use a computer is the immense power it gives the government over you.

Piss off someone in power? Take away your licence.

Mistakenly accused? Take away your licence until you clear things up.

Go up against the latest policial hotbutton that no one takes seriously? To make it serious, they come up with a new punishment. Take away your licence!

A licence to operate a computer is a horrible, horrible idea.

Re:violation of ISP contract?

[CrackerJack9]

While I agree with your post, can we both also agree that "stay between the lines" "obey speed limits" and the like are much more simplistic than some of those you would need to understand to be truly proficient at protecting your home network. I realize, "don't double click that attachment that says it will show boobies if i do" isn't too complicated, but it also takes place in a different realm than driving a car does. Perhaps we should blame culture, simply that computers are relatively new, or even that you don't need a license (to show at least some proficiency and basic rules to follow, like a drivers permit) that there are so many problems that can very easily be avoided. What I don't think is that by making (people who have car accidents or get speeding tickets) them install a program that is quite complicated, (even if considering only the conceptual complications) such as a firewall, will help solve the problem to a reasonable degree. By reasonably, I mean not snatching anyone's computer away simply because they did not run Windows Update hourly. Just like we don't get driving licenses revoked after a single accident or ticket. I'm all for Computer Usage 101 coming with any computer purchase or something in that sense, but ISPs forcing them to install things or improve security beyond their capacity to do so seems unreasonable to me (see parent post/my reply).

Re:violation of ISP contract?

[ErikZ]

From what people are saying, ISPs can't even manage the spam and virii coming from their own customers computers.

I doubt they'll be able to handle anything like a licence.

Re:violation of ISP contract?

[schon]

Telus's attempts at spam control remind me of the keystone cops. They hinder people who know what they're doing, and do *nothing* to stop spam.

Telus has had its netblocks (including the ones their mailservers are on) blacklisted many, many times - and their respons has been to simply ask for removal, without actually fixing the problem. When their mail servers got blacklisted by Spamcop, their response went something like "well, we're a large ISP, so you should remove the block."

here is an example of Telus stupidity in action. I've received the *exact same* response from them

They don't give out static IP addresses (even though they claim they do), instead forcing their customers to use DHCP for their mailservers (yes - even when the customers *PAY* for a static IP address) - and when the addresses change, the customers frequently find themselves in various blacklists.

If you think that Telus is responsible, you should do a google groups search for them in news.admin.net-abuse.email

Re:violation of ISP contract?

[rawg]

Yeah, the police should take your car away if you leave it unlocked. You must live in California.

Personally I would rather see it this way; if your car is doing something bad, then it should be stopped and not allowed on the road until it's fixed. IE leaking oil on the road, lots of smoke coming out of it, or parts falling off.

If your driving down the freeway with a 300 feet of linked banners attached to the back of your car, then you should be stopped. Even if you didn't attach those banners to it.

Re:violation of ISP contract?

[jessecurry]

We do this on our campus networks. Basically we get pissed off people calling us and we provide them with a disk containing a virus scanner(McAffee in our case) and some antispyware tools(Ad-aware for now, although MS's adware offering is looking surprisingly promising ATM) and a page with instructions on how to install the software and run the scans.
The pages even have lovely pictures so the users can't(read: shouldn't be able to once they have removed their heads from their asses) make a mistake.
When the user think that they are clean we rescan their network traffic and if everything checks out we place them back on the standard network.
Last year almost the entire campus fell victim to adware, spyware, and virii... this year only a handful. It seems to work. If they get re-infected they lose their internet access again.

Re:violation of ISP contract?

[ThisIsFred]

What kind of crappy ISP delivers messages containing *.SCR, *.CPL, *.COM, *.PIF, *.BAT and so forth to their customers?!

Probably the kind of ISP that realizes it's a security issue related to Windows, and therefore one of the risks best dealt with by the end user. Editing users' e-mail based on a file extension is stupid anyway. That's probably the same kind of thinking that went on at Microsoft's OS development group when they implemented file-type detection; More specifically, that shallow thinking is what is directly responsible for the Windows vulnerabilities based on extension-only file-type detection and the shell's automatic file association helper.

So why not stop there? Windows' shellexec helper also attempts to do something with .zip, .wav, .mid and .mp3 extensions. Would you like your ISP to discard those messages automatically? I send a lot of material between work and home in .zip format. I'd change ISPs if some dunderhead was stupid enough to filter my e-mail based on meaningless extensions.

Jesus, why are we still having this discussion? It's real simple for Microsoft to fix: Make it so any file coming from someplace other than the local filesystems is downloaded to disk only. Or simply give IE and Outlook their own file helper registries, where the default is to just download the file without attempting to open it. People have been setting up their own helper applications in Netscape for years, and no one ever died of exhaustion from the extra work.

Re:violation of ISP contract?

[McNally]

Personally I would rather see it this way; if your car is doing something bad, then it should be stopped and not allowed on the road until it's fixed. IE leaking oil on the road, lots of smoke coming out of it, or parts falling off.

It's not quite clear from context: did you mean "IE" to represent "id est" or "Internet Explorer"?

Re:violation of ISP contract?

[NoSuchGuy]

Remember:

1) Never ever let a marketing person configure some hardware!
2) Never ever let a marketing director use the internet unattended!

This sounds funny but it is meant seriously!

Re:violation of ISP contract?

[CrackerJack9]

ok, anti-spy/ad tools and virus scanning is all you mentioned...these are rather simple to set-up and run (assuming removing ads won't disable some program they happen to be running, in which case you'll have an even more pissed off customer calling you or someone). I already admitted this, my main point is configuring a firewall for dummies...do you expect them to lookup each process (some very necessary and some very bad) to either allow or deny it? Are you going to write a complete list of all processes that may at some time request access to the internet through a software client-side firewall? These are my points...I realize it's quite simple to do some of the things you are talking about...you'd have to read my posts to see what I'm talking about though...

Re:violation of ISP contract?

[CAIMLAS]

it would be interesting if, instead of simply cutting off their access, they switched them over to a non-routeable subnet (via a short dhcp lease time) and direct all HTTP traffic to a single server which would then alert them to the problem (with bold blinking red on black text or something equally as noxious) and provide them with a list of links to various tools to disinfect them, based on what's a common problem at the time being. all stored on this private subnet, of course.

They could even go a step further and automatically generate a custom page for the user based on the type of traffic and its signature (iis exploit, etc.), their IP address (thus, it would startle them with their own name), and even provide them with the most likely fixes for the problem.

Then, after they're done fixing things they could click a button that said "I have fixed my computer and would like to use the internet within 15 minutes" or something like that. They'd then be 'tested' for such hostile network activity again, and if they didn't pass they'd be alerted to it.

I could imagine a large cable/dsl ISp implimenting something like this. it would pay for itself in a couple months due ot bandwidth and tech support calls.

Re:violation of ISP contract?

[jessecurry]

I'd really recommend that the uneducated user forget about a firewall. I suppose that if the ISP found that a firewall really did much for their users they could offer 2 networks, one that was behind a firewall allowing access only to ports for http, smtp, etc.. and then a second network for "pro" users that would give them raw access. A web based form could allow users to switch themselves to whichever network they preferred.

Re:violation of ISP contract?

[Detritus]

Not all of those attachments are "clearly malicious". I've emailed COM, EXE and BAT files to people when they needed a quick bug fix or a new feature. I can think of situations where I might need to send someone other files that are on your "clearly malicious" list.

Re:violation of ISP contract?

[Frank+T.+Lofaro+Jr.]

How about this idea?

Demonstrate you can use a computer responsibly and you can get an SSL-like certificate from any number of private companies and other organizations saying so.

People would be free to send email without such a certificate.

People would also be free to reject any such email. Or accept it, it would be their choice.

Re:violation of ISP contract?

[TomsFingerKeys]

How about licenses for the publishers? Say, Microsoft couldn't sell a new version of Windows unless it passed some basic safety tests first, kind of like emissions testing and safety checks for cars to ensure they're "street legal".

Yeah, horrible idea, but we can't blame everything on the uneducated/uninterested users.

Re:violation of ISP contract?

[cpeterso]

The proxy server at work does filtering; it won't let me search google for cable 'strippers', or go to 'demorcrat' or 'buddist' related sites (though I can go to 'republican' or 'christian' related sites). Draw your own conclusions.

Maybe your employer has high grammar standards? Have you tried searching for "democrat" or "buddhist" web sites?

Re:violation of ISP contract?

[squeee]

If you start licensing software, effectively making it illegal to run unlicensed software , then you can wave goodbye to Linux or any open source software, as it may well meet the test requirements, but without an "owner" of the software, no one will get it licensed.

Re:violation of ISP contract?

[jessecurry]

I seriously doubt that anyone who doesn't understand how to keep their computer from being bogged down by spyware would think that their ISP had something to do with their not being able to do something. They would more likely think that the internet was broken.
And it really wouldn't be all that hard to have the firewall return a page stating that the ISP has them on a more secure network along with instructions to move themselves to the open network.
The reason that I see a system like this being somewhat practical is the fact that I have been a part of administering one for quiet some time now. You wouldn't believe the number of people who didn't even notice that they were on a limited network. As long as they could check their e-mail, IM, and view most sites they were happy.
I don't doubt that a system like this will work, I do however doubt that any ISPs are going to work on implementing such a system until malware seriously effects their bottom line.
From an ISPs stand point a nonworking PC just frees up more bandwidth for everyone else.

Re:violation of ISP contract?

[troon]

even those great ones with .scr's from v1agra@sh0p0ur31337store.ch.

Why does everyone pick on Switzerland as being the source of spam? I would have thought .cn (China) would be more appropriate...

Simple solution

[MarkRose]

There's a very simple solution that many webhosting companies already use -- the ISP should force their users to authenticate with the server, using secure SSL. It's good practice any way, and doing so would make even more work for the spam bots (they would have to find the user's login and password for the SMTP server).

Re:Simple solution

[kerrle]

Or the bots could ignore that, and just send out with the default mail settings - most users would have OE set to remember password, so no real gain there.

Re:Simple solution

[SpottedKuh]

[T]he ISP should force their users to authenticate with the server, using secure SSL.

It's a shame that people are so attached to their horrid Microsoft Outlook email client. Otherwise, two problems could be solved in one fell swoop: Have users SSH into the ISP email server, and use a simple client like Pine to send and receive their email.

First, this setup would enforce strong user authentication, as the parent wisely suggested. Secondly, it would eliminate that whole host of attacks against bad email clients (eg. Outlook) that the average computer user inexplicably blames on their ISP.

Years ago, in the days of the 56K modem, the Edmonton Freenet provided email service in which people dialed in and used Pine. It worked great -- it was simple, effective, and they even provided a little manual so that all of the Pine-neophytes could learn to use the system. I remember everyone from the young to the old learning to use the system, and getting along splendidly after the rather small learning curve.

Re:Simple solution

[danielcole]

The simple problem of 'Remember my user id and password' negates your simple solution.

Re:Simple solution

[caino59]

oh yea...pine - my mom will be all over that one!

remember, you have to keep these dumbed down for the masses.

Re:Simple solution

[JVert]

Agreed.

The users machine is comprimised. There is no method that can be widely adopted that will keep these programs from using the same functions that the computer does on daily basis.

Re:Simple solution

[MarkRose]

However, using authentication, ISP's can easily block users who begin to send out too many emails (most likely spam), forcing them to deal with the problem (or get the ISP to allow them to send large volumes), or at least stopping the spread of spam.

Re:Simple solution

[Osty]

It's a shame that people are so attached to their horrid Microsoft Outlook email client. Otherwise, two problems could be solved in one fell swoop: Have users SSH into the ISP email server, and use a simple client like Pine to send and receive their email.

First, this setup would enforce strong user authentication, as the parent wisely suggested. Secondly, it would eliminate that whole host of attacks against bad email clients (eg. Outlook) that the average computer user inexplicably blames on their ISP.

I'm going to assume you mean "Outlook Express" when you say "Outlook", otherwise your argument has no merit. Even then, Outlook Express isn't as bad as you make it out to be. For example, both Outlook and OE support SMTP-AUTH, via SSL or not (as well as both POP3 and IMAP-v4 over SSL). That addresses your first problem, which at this point is an ISP issue rather than an MTA issue. Your second point is really only valid for OE, and then only if you've never bothered to use Windows Update (in which case you're asking for other problems anyway). Outlook has blocked bad attachments since a service pack for Outlook 2000 (there have been two versions of Outlook since then, XP/2002 and 2003). Outlook 2003 (which is the only version I have installed right now, so I can only speak to other versions on memory) will also block malicious content in the body of the message itself (scripts, images linked to external sites, etc). If you're still getting infected by email viruses while using Outlook, you're either running a ridiculously old version, or you're explicitly overriding Outlook's protection mechanisms.

Moving everybody back to pine (or better, mutt, but that's my own personal preference) via ssh is not an acceptable solution. Forcing everybody through a webmail interface is only slightly better, but even that is not very desirable (see the new Outlook Live service from Microsoft that lets you read your hotmail email via Outlook rather than the web page, or RPC over HTTP in Exchange 2003 that lets you access corporate email without a VPN rather than using OWA).

Re:Simple solution

[Seumas]

Are you saying that major ISPs don't require authentication to relay mail?! I have Comcast, but I've never used their servers (I run my own externally). What do they do then, just base whether or not to relay based on whether or not you're in their IP blocks?

That's ludicrous. POP-BEFORE-SMTP or SMTP AUTH are extremely simple to setup without any additional complexity on the user's end. If the ISPs are not protecting their mailservers, then I would suggest this is THEIR problem - not the end-user.

Re:Simple solution

[kerrle]

ISP's can do that with or without SSL.

Trust me, I've set it up.

Re:Simple solution

[mcc]

Otherwise, two problems could be solved in one fell swoop: ... use Pine

But then they would have a third problem.

Re:Simple solution

[tylernt]

ISPs don't even need to buy a cert. They can be their own CA (Certification Authority) and issue a cert to themselves. They can instruct their clients to trust their self-issued cert when prompted, and bob's your uncle.

Re:Simple solution

[Dark+Coder]

Good luck on getting a root or intermediate CA certificate.

Most root CAs (at least the ones that are found in browsers' CA list) charge a fortune to let an ISP have an intermediate CA certificate that can signoff additional client CA certificates.

Plus, business sense forces the buyer of intermediate CA certificate to recoup the exhorbitant cost by charging all those who wants to have their CA tied to the intermediate CA server.

Not worth it. Just go self-signing and distribute the trusted root to the customer. A lot cheaper (its free).

Why aren't they using SMTP-AUTH?

[PornMaster]

I really don't understand why they don't just use SMTP-AUTH. This shouldn't be something that's such a huge deal... and certainly shouldn't come anywhere near what this guy said in the article...

"The e-mail infrastructure is beginning to fail," Linford warned. "You'll see huge delays in e-mail and servers collapsing. It's the beginning of the e-mail meltdown."

Re:Why aren't they using SMTP-AUTH?

[LostCluster]

I don't see how that solves this problem. If the mailware can read the configurations of the host's e-mail program, it can immitate any authorization you throw at it...

Re:Why aren't they using SMTP-AUTH?

[PornMaster]

Not only does it authenticate the user, it also provides a way to revoke authorization on a per-user basis in a way that still allows the user to receive a mail explaining why they're unable to send mail -- simply shutting off the user's internet access doesn't do this, and putting in ACLs to block only port 25 from their IP probably isn't practical on many ISPs' infrastructures.

Re:Why aren't they using SMTP-AUTH?

[Yobgod+Ababua]

Of course, if the user doesn't let their mail client "remember" their password (I never trust mail clients to remember anything for me), then the virus would indeed be unable to complete it's evil plan.

They'd need to take the time to write a more sophisticated version of the trojan that first does some keystroke logging to steal your AUTH password, -then- sends spam with it.

Once a virus allows "a remote attacker to gain complete control of your computer", there's really nothing that you could do that they won't be able to. Very disturbing how many MS virus alerts contain that very unpleasant phrase...

MMMMmmmm

[Azeroth48]

MMMMmmmmm Brai.... Opps MMMMmmmmm Spam

Many ISP mail servers get blacklisted now?

[enosys]

Will many ISP SMTP servers get automatically blacklisted because of this?

Re:Many ISP mail servers get blacklisted now?

[slimme]

I work for a ISP and our mailservers do get blacklisted by AOL sometimes. Some of our customers complained and that is how we found out.

The ISP I work for mandates the use of their mailserver for outgoing e-mails and limits the number of mails that can be sent in a certain timeframe.

Unnamed processes

[Dancin_Santa]

I was reading about the "American GI (Joe) captured in Iraq" yesterday and the same thought crossed my mind today.

If you are going to tell everyone that spam zombies (or terrorist websites) are out there, why don't you give details like processname (or website URL)?

It does no one any good if you just say, "Hey, there's a chance your computer may be infected and is a zombie spammer," if you don't also tell us the zombie process name.

Re:Unnamed processes

[rusty0101]

That presumes that the process name will be pre-defined. We already have viruses that generate a new name for their executable, or library, and use that name to modify the workstation or server's database to automatically launch it each time the computer is rebooted. If this virus also is generating spam, it will be run with the process name of the executable or library, and at best you will see a process name that you don't recognize. Considering the fact that a significant percentage of the population of computer users do not even know how to bring up the task list, much less know what each process that normally runs is, is named, or does, telling them to kill off any process that looks like 'libraryname0.dll' is not going to be particularly helpful.

Your best bet is to find a personal firewall that asks you if application x is allowed to generate network traffic. Hopefully the firewall will tell you more, such as the type of traffic the application is attempting to generate, but even that can be more information than a general user is prepared to try to asses.

If your firewall tells you that 'tobmaps.exe' is trying to send e-mail to your isp's mail server, you might tell it no, don't allow that sort of traffic. If it tells you that 'tobmaps.exe' is attempting to connect to login.yahoo.com via http, you might inadvertantly allow it, even though login.yahoo.com is the first step towards sending e-mail through Yahoo.

In most cases however you can probably tell your personall firewall to block all traffic to any IRC network, unless you speicifically approve the app, and know what you are doing. Of course over time spambots are going to move on from IRC channels to Instant Messaging services, to various p2p applications, if they haven't already.

Saying 'kill off any process named xyz-abc.exe' is all well and good, but is probably going to be a one shot solution to a small subset of the people infected with a spambot.

-Rusty

This is why some isp's..

[lordsilence]

throttle the amount of e-mails a customer can send per time-period.. and the max amount of "BCC, CC" addressess.

It's just a hell and takes lots of time to go through contacting abuse-department of ISP's like AOL and Verizon who decide to block for very few spam-reports. Even though the damage of spambot-infested computers on your own network is limited.

Re:This is why some isp's..

[fimbulvetr]

Yeah unless the customer is large.
I tried this. I limited outbound emails to 1000 addresses at a time thinking that was very reasonable. Within a week there was a complaint from one of major companies that they couldn't send to all of thier remote offices. Sure enough, not only did they have more than 1000, they had 13,000.
I realize this isn't an everyday occurance, but this situation should show that using a limit fix is not a good solution.
Even doing a max-per-hour won't work. There are times when outbound email from a company can increase exponentially for legit reasons.

This is easier to solve

[digitalgimpus]

Unlike when they did it on the clients, this puts it through a limited number of gates.

ISP's will likely start limiting outbound email to x email/hr. Companies and ISP's will likely start monitoring and kill quicker.

This will benefit spammers for a very short period, then bite them in the ass.

ISP's and companies aren't going to tolerate a spike in CPU usage, and possible blacklisting if they can take care of it. They will start blocking IP's from sending mail, etc. etc.

Polite Zombie

[Jim+Ethanol]

You gotta love a Zombie that plays by the rules...

It'll be interesting to see how this effects ISP's Service Agreements:

"The customer, nor any device connected to the customer's network will not for any reason, send emails regarding 'P3n15 Enl4rgm3n7!!!', etc.. etc.."

Buuhahaha...

can we expand the war on terra to include spammers

[trolluscressida]

I would love to see a Special Ops unit bust down the walls of a spammer's house, beat him, gag him, beat him again, send him to Guantanomo Bay for eternity, and than C-4 the spam servers.

Everyone should write their congressmen requesting this.

Re:Zombie trick expected to send spam sky-high - t

[hunterx11]

If you're karma whoring, at least have the decency to format your text. Only some people hate whores, but everybody hates ugly whores.

Re:Bring back Make Love not Spam...

[Requiem+Aristos]

> I know two wrongs don't make a right, but--grrrrrrr--I HAT how these spammers work.

I fail to see the second wrong. Perhaps you are equating legality with morality?

Email Meltdown my ass

[mg2]

If we just switched to a secure email system (SSL/TLS, or whatever), a lot of these dumb problems would go away.

Yes, I know some mail clients don't support this functionality, but come on. Name one of the modern clients that won't do it. Thunderbird, Mail.app, Eudora, Outlook ... they all know how.

I suppose then you just have to convince users. This, though, should be the easiest part:

Dear User,
This email is to notify you that your neighbor has been recieving your monthly e-bank statements and password confirmation emails because you are stubborn and insist on using insecure email protocols.

Incidentally, we'd like to thank you for your subscription to DAILY LESBIAN ACTION MAIL!!!1

Re:Email Meltdown my ass

[edunbar93]

Yes, a few won't change their settings before you disable the IP-based relaying, but that all gets resolved in one day. Not a big deal.

I have lived through so many "trivial changes" at ISPs as a tech support rep that not only do I find your statement outright insulting, but that I demand that you immediately retract your statement.

Forcing thousands upon thousands of the unwashed masses to make changes to their computers in "trivial ways" does not take a day. Or a week. Or even a month. It takes approximately two weeks of Undiluted Hell for the poor bastards on the front lines of tech support, followed by four weeks of diluted Hell, then eventually tapering off to a trickle for another couple of months. The last support call about this will come in approximately six months after the change. Oh and by the way, that's on top of the normal call volumes they're expected to handle. So while undiluted hell doesn't seem so bad, it is.

And that's not including the original notice of the change, which took place a month before the change. That was approximately three weeks of somewhat diluted hell.

The fact of the matter is that unless you're a computer geek, you don't know what SSL is (or a POP server, or a DNS server...). And you most certainly don't know how to turn it on. Most people need help from tech support to make the changes, or even to understand the step-by-step instructions given to them in small words.

Since I am now the sysadmin for an ISP, I carefully avoid at all costs changes to the network that "just require changing a checkbox" on each customer's computer. Doing so results in lost customers "because you guys are down so much."

Great

[bahamat]

Since they're cooperating so wonderfully, has anybody thought to ask them to stop sending spam?

Death of the net predicted - pictures at 11.

[Michael+Woodhams]

"The e-mail infrastructure is beginning to fail," Linford warned. "You'll see huge delays in e-mail and servers collapsing. It's the beginning of the e-mail meltdown."

We're winning

[SiliconEntity]

This is the best sign yet that we're winning the war on spam. This is exactly what measures like SPF were designed to induce - forcing zombies to go through the ISP rather than sending mail themselves.

Now all the ISPs have to do is to filter and detect sudden jumps in email traffic. It will be easy for them to detect systems which have been infected. This will catch the small number of users who suddenly start running high volume email lists from their home systems, but those cases will be few enough that they can be dealt with manually.

This is the beginning of the end for the zombie spam problem!

Re:We're winning

[MikeBabcock]

This is a loss. The ISP *can't* detect this without huge amounts of effort *and* the probability of pissing off lots of customers.

PS, blocking port 25 for customers is just plain dumb -- I have a lot of customers that go on the road and don't want to reconfigure their laptop to use the local dial-up access SMTP server for two hours, then do again in the next city.

They just leave the SMTP set to us, and we have secure logins. Voila. Oh, but we can't use port 25 because a lot of ISPs block it.

Re:We're winning

[Malc]

I doubt this has much to do with SPF. It's not like SPF is even implemented widely enough to make a difference, yet. I would guess that this is more to do with major ISPs blocking outgoing port 25 and forcing their user to go through the ISPs rely/smarthost. I predicted this would eventually happen a few years ago when ISPs started taking these measures. The good thing about this though is that there is a bottleneck that is easy for the ISPs to monitor and control.

Most ISPs have limits

[appleprophet]

First of all, most ISPs require you to authetenticate in some way. Either they require a login/password or more often, they wait until you check your POP3 email and give you a 30 minute window to send email without authentication.

Secondly, ISPs often have a limit to how fast you can send mail or how many per day you can send.

I don't really see this as a problem.

Re:Most ISPs have limits

[Robert+The+Coward]

As a former Comcast employee yes they do cap your emails. Try and send 20 Emails in less then 1 Mins sometime. You will get an error. Use to popup with people on laptops who built up email during the day and sent there when they got home.

Re:Global, realtime spamlist?

[Yobgod+Ababua]

So... something like Vipul's Razor?

It's not quite as trivial to set up as you suggest, because of two things...

• first, not everyone agrees exactly on what is or isn't spam.
• Second, and more importantly, spammers and other undesireables will attempt to poison your list.

Fortunately, people are already working together to make this work. Pyzor is another similar effort.

Spamassassin has hooks built in to interface to both Pyzor and Vipul's Razor.

Maybe ISPs should just start running spamassassin (or something similar) on all outgoing email and blocking everything that scores too high... this would slow down their servers slightly, but would cut spam drastically across the board.

Re:Eh? Because...

[kd3bj]

Why didn't they think of it earlier?

Because I suspect it doesn't work as well. It's pretty easy for an ISP to notice 100,000 emails from one sender pumping through their SMTP server, but relatively difficult to notice those mails when sent directly through the net. Also, outgoing servers are often set up with throttling.

Of course, nowadays, ISP's have no excuse in either scenario. There are plenty of network monitoring tools that will notice spamming.

Re:Authentication

[Todd+Knarr]

It probably won't. Your e-mail client likely remembers your password for you, no? So if your mail client knows the password, what's to stop the Trojan from pulling the password out of where the mail client stored it? And since you're probably using Outlook Express, the Trojan knows exactly where to go. Thank you convenience features.

Re:Is spam such a huge problem, really? Yes!

[kd3bj]

As an ISP, I can tell you that for the last two years we put all of our R&D money into fighting spam. For us, that's about $100/yr per customer. That's a lot of money pissed away, and it's damn near bankrupting us.

But more significantly, it represents a massive opportunity cost. There are all sorts of cool things we could have created for our users that we haven't been able to get to because we were tied up with weekly SpamAssasin upgrades. Spam is short circuiting the work of a lot of the most brilliant people into totally profitless endeavors.

And a lot easier to get them to stop.

[khasim]

With a regular zombie, you really can't email the person controlling the machine (or the one who has it in his house).

With an ISP's mail server, you can.

And they should be more interested in shutting down the thousands of spam messages so that their regular mail can be sent.

BREAKING NEWS!!

[jmcmunn]

Spammers are using Microsoft's Hotmail servers as Spam servers, and sending out hundreds (of millions) of emails each day to unwilling recipients.

Come on, this is hardly news worthy on the front page of Slashdot...this kind of thing has been going on in one way or another for a long time.

Re:Not surprised....

[Sandman1971]

Depends how smart the ISP is set up. A smart ISP will separate their inbound and outbound servers, and only allow their own customers to connect to the outbound servers. An MX lookup would give the inbound servers, which customers would be blocked from using.

Re:Not surprised....

[mikeswi]

You really don't even need to do that much. Outlook and Outlook Express both keep all of their settings in the registry. All a virus needs to do is to parse the contents of a certain registry key.

I don't know if the login/password is stored there as well, but the server information sure is.

RFC 2476

[tepples]

I have a lot of customers that go on the road ... They just leave the SMTP set to us, and we have secure logins. Voila. Oh, but we can't use port 25 because a lot of ISPs block it.

You're using SMTP AUTH over TLS on port 587/tcp per RFC 2476, right? ISPs have fewer legitimate reasons (if any) to block 587/tcp out than 25/tcp out.

SBC Global / Yahoo has been doing this for 3 weeks

[Mustang+Matt]

We host email for a lot of small domains. Many of our customers are using SBC Global for their DSL.

We had everyone doing authenticated SMTP through our server for outbound but SBC shut that down and forces them to do authenticated SMTP through their servers now.

I have absolutely no problems with this except two small issues...

1. They didn't let anybody know. (To my knowledge) There was no press release on the home page or any instructions emailed out to inform customers how to update their mail settings. Since of course they only officially support their email addresses any non-technical customers that called in to SBC royally messed up receiving mail from our servers.

2. There is no non-customer technical support period. You can't make your way through their automated system and they have no way to contact any body on an ISP to ISP level that I could find.

I even contacted some marketing person at their HQ that I managed to find contact info for and explained the situation. They even tried to contact support and couldn't figure out how to do it. Very sad. Glad it wasn't an emergency.

Re:Authentication

[zcat_NZ]

even if it doesn't; what's to stop the zombie process from intercepting outbound smtp traffic (as most virus scanners already do) and sniffing the password the first time you send a legitimate email?

Forcing mail through the ISP's mailserver is a great first step; clearly enough ISP's are doing this that it's come to the attention of the malware writers.

The next step is to limit outbound mail at the ISP; 20 messages per day for ordinary home users should be plenty, and you can allow more (as many as you need, 20 messages at a time) by going to a webpage somewhere (no standard; leave it to each ISP to decide the best method for this).

Commercial accounts decide for themselves what's a reasonable limit; pay a deposit and you can have 'no limit' but if you get infected you forfeit the deposit..

Another idea might be to scan outbound mail for known viruses, likely virus attachments (who the hell legitimately mails screensavers and/or control panel components..?) and 'spam indicators' (large variety of different from addresses, etc). If it looks suspicious and/or there's an unreasonable amount of it, block all further mail until someone checks it out and turns it on again..

Law is the answer and the answer is law!

[D4C5CE]

Right below "TFA", there's a link to Yet Another Interesting Article.

Just take a look at the statistics:

Europe has only had strict laws against junk communications for two years (Article 13 of Directive 2002/58/EC), they have only been in full force since November 2003 (and the provisions for criminal penalties are not even in place in each and every corner of the European Union yet) - but they mean pure and simple opt-in, and look how this continent's "spam output" already has become almost completely insignificant.

The U.S., I'm afraid to say, have put next to nothing in the way of these sociopaths: only a now-you-CAN-SPAM-more-than-ever Act that lives up to its name in the worst of ways, by legalizing most of the spam, enacting an unworkable opt-out onus on the users, and putting anti-spam warriors at the legal risk of interfering with (and being taken to court by the operators of) what is considered a legitimate "business model" except for some of the worst abuses - and for however little it is, all of this even an entire decade too late.

Reliance on technical solutions and minimal government intervention is just fine for many things - but it's failed in the fight against spam.

Here is how to do it:

Where the rights of the users and subscribers are not respected, national legislation should provide for judicial remedies. Penalties should be imposed on any person, whether governed by private or public law, who fails to comply with the national measures taken under this Directive.
(...)
"electronic mail" means any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient.
(...)
The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent.
(...)
In any event, the practice of sending electronic mail for purposes of direct marketing disguising or concealing the identity of the sender on whose behalf the communication is made, or without a valid address to which the recipient may send a request that such communications cease, shall be prohibited.

That's certainly nowhere near rocket science, and if the above looks a bit complicated, that's probably just because

• a directive is a (binding) template for lawmakers in all of the European Union's member states
• necessarily, the legal techniques as well as the "Legalese" itself vary between jurisdictions
• this is a great one-ban-fits-all provision that outlaws each and every flavor of spam at once

"First Amendment" implications: zero (and yes, of course there is freedom of speech in this part of the world as well, and even more of that speech could be heard if it wasn't drowned out by American spam - some of which comes relayed thru Asia of course) - it only bars some people from "pissing in everyone else's pool", but certainly not from speaking their mind!

There is nothing wrong with following an example that works so well, even if it is from Europe...

Call your congresscritter now to outlaw unsolicited commercial communications, place a hefty fine and jail time on the offenders, and put an end to these abuses before they put an end to eMail itself.