Slashdot Mirror
FTC Recommends ISPs Disconnect Spam Zombies
Mike Markley writes "CNN is carrying a story about the the FTC's plans and concerns around spam zombies. They say they will be identifying such zombie hosts and notifying ISPs, and are recommending that the ISPs disconnect indicated users. There's also a recommendation likely to raise the ire of the geekier sorts: that ISPs only permit users to send mail through their own servers (presumably by blocking port 25 outbound)." From the article: "Law enforcers in 25 other countries, from Bulgaria to Peru, are also participating in the campaign, the FTC said. Absent from the list of cooperating countries was China, where experts say rapid growth and a relative lack of technical sophistication have led to a large number of zombie computers."
Having worked for a university tech department that did this, I would have to say, I can't think of a better way to open peoples eyes to the threat of virii than to revoke their internet privilages.
"There are more important things than stopping terrorism. Upholding the Constitution is one of them." - Ars Forumer.
That ISPs only permit users to send mail through their own servers (presumably by blocking port 25 outbound)
My ISP doesn't block 25 outgoing but a few spam blacklists have my IP range on their "DSL/Cable/Dialup" listings so I send mail from my internal server through the ISP.
The result? No more "You're on a dynamic IP" bounce messages.
Trolling is a art,
that ISPs only permit users to send mail through their own servers
I am a geekier sort, and this pisses me off. At the same time I'm kinda glad. I only really use my ISP mail server for everything. They relay on even if my From: address is set to something other than my ISP-provided email address.
Anything to bring the amount of SPAM down is good in my books. Even if it means a slight loss of accessibility to other mail servers... That said, SMTP has authorisation capabilities now. They should rethink the blanket block and block only those SMTP servers that don't force authorisation to send mail. At least that way you'd need an account on it to send mail.
I drink to make other people interesting!
465 is SMTP over SSL. 587 is submission, AIUI it's basically the same as SMTP but without the moral obligation to accept all correctly addressed mail from anywhere, so you can put up various auth barriers and whatnot.
You mean like this list of machines logged on my company's mailserver last night?
587 requires authentication, which gets logged, and becomes MUCH easier to track from the sender side.
Video Phone Blogs send video messages straight to the web.
Nope.
http://www.ietf.org/rfc/rfc2476.txt
This idea is to seperate 'a mailserver connecting to another mailserver to drop of mail that is addressed to a user at the destination server' from 'a user connecting to his own server, authenticating as such, and then dropping of outbound mail for that server to then send on to the final destination', and restrict the first to non-dynamic, non-'consumer', or any addresses where there isnt some reasonable expectation of a positively identifiable responsible party.
Spammers will have a lot harder time abusing the second, and will be easier to identify if and when they do.
Yes, so you make sure you pick a clueful ISP that has MSA (RFC 2476) support, which uses port 587, then you set his mail client to use that, and it works fine both when hes in the office, or at home, regardless of port 25 restrictions wherever he's getting his connectivity from.
Since MSA requires him to *authenticate* (which most clients, even OE and ilk will do happily) when he connects on port 587, and the ISP only accepts *outbound* mail on that port (other ISP's wanting to delvier mail *to* your ISP still use 25) it isnt terribly attractive to spammers.
Why would there be conflicts? A TCP connection is defined by four things... source IP, source port, destination IP, destination port. So long as any one of those four things is different from all the other connections currently being handled by, well, anyone, then it's a unique connection and its not going to tread on any other's toes.
Getting a box to listen on port 80 for SMTP and HTTP is gonna be a little trickier, but I suspect that isn't what you're trying to do.
I find your ideas intriguing and I wish to subscribe to your newsletter.
I use SBC and its true that they didnt notify the users, then again I dont check my sbc email either.
D SL&ys_state=&browser_redirect=%2Farticle.php%3Fite m%3D4640
Most users running a mail server would probably notice a problem pretty fast.
sbc upblocked it within a day after a visit to the following page though.
http://help.sbcglobal.net/article.php?ys_service=
For the clueless amongst you who don't recognise rot-13 (or who DO recognise it but have no sense of humour), the parent says,
See? Not a troll.
My users are constantly travelling and plugging into God knows whose networks, and then calling me up and telling me they that our mail server is dead b/c they can't send e-mail. Why they always blame the local IT group first is beyond me... But anyway, it was invariably b/c port 25 was blocked.
Our solution was to create a recipe that they could follow to tunnel their SMTP connection over SSH to our SMTP server. Even your pointy-haired boss can follow it. Include screenshots and make sure to include copious amounts of blame on the hotel network and spammers.
If you're using Windows, you can use PuTTY and set up the forwarding tunnel beforehand too.
Whoever Has the Most Toys Wins!
The article is quite vague. But I really think that Reuters is misunderstanding the details here and creating this inclarity. The FTC is not so stupid as to block port 25.
/ index.htm
I immediately went to ftc.gov.
Here is a link to their actual press release:
http://ftc.gov/opa/2005/05/zombies.htm
They have a more detailed website at:
http://www.ftc.gov/bcp/conline/edcams/spam/zombie
This site appears to be geared for the people who actually understand what's going on. The very first bullet point on the site states very clearly:
"block port 25 except for the outbound SMTP requirements of authenticated users of mail servers designed for client traffic. Explore implementing Authenticated SMTP on port 587 for clients who must operate outgoing mail servers."
In other words, under their proposal, can still send emails so long as we are authenticating to an SMTP server.
We can use our College email, our Google, Yahoo, etc. accounts.
This is how I interpret their idea:
- You want to send email? Connect to an SMTP server and log on.
- Incoming traffic is not interfered with.
- If you send SMTP traffic directly from your computer to someone else's computer, this is blocked.
I'm not sure exactly how one would implement this because one cannot know every "legitimate" mail server. Further, ISP's will not (should not) be scanning all of our SMTP packets to see what kind of traffic is coming from our computers. The easiest solution is something already in place, although it annoys me. I can still send SMTP from my computer (RoadRunner ISP, New York City) but if I send to an AOL user, for example, I get a reply back from AOL explaining that AOL will not accept emails from a Residential IP address. This is irritating, but it's no bother. Simply have all the ISP's say, these IP blocks are for our residential customers --- if you get email from them, it's probably a spam zombie, so you may wish to block such SMTP traffic if it becomes a bother.
I'm not proposing anything, just trying to piece together what the FTC is actually saying. Trust me, they're not so clueless; it's usually the papers, especially in these generic wire reports, that mess up the details.
The FTC is most certainly _not_ recommending that all port 25 traffic is blocked; they are not limiting anyone to their ISP's mail servers.How would the FTC people log in to their own FTC email from their homes? They'd have the same issues we'd have.
Anyway, since I *never* use my ISP mail server (mostly because Google is faster, has more storage, and is easier to access when I don't feel like carrying my laptop around; and because for professional stuff I tell people to contact me @honorscollege.cuny.edu (even though I SMTP back through Google).
Though less technical, I'm sure, most professional people require such a setup. Think things through. I see so many posts regarding outright and absolute SMTP / Port 25 blocking. That's too ridiculous to believe. Indeed, it's not even close to what the FTC actually says, as I cite above.
Read their site if you still have your doubts. Let it be said, however, that the government is not as stupid as some would like to believe.
speakeasy
I think the legitimate question is "should a consumer expect full freedom to engage in potentially risky behavior from a consumer-grade ISP service?" I think the answer is, VERY unfortunately, no. If you want to have greater freedom (e.g., running your own network services, having unrestricted outbound SMTP, etc.), then you should seriously consider colocation. Paul Vixie has been nice enough to catalog many places all across the US and a few places internationally where you can get a box (or virtual vmware box) hosted for relatively cheap: Personal Co-location Registry
Burden of proof is easy. Hook up network traffic monitors that track the port usage on all of the systems in the network. Excessive port 25 usage would be used in conjunction with reports from the outside. If they get 300 reports of spams using your e-mail address, but they look and you have virtually no port 25 usage, then it's a safe bet that you didn't send it, at least from that system. No reason to shut it down.
If, OTOH, they look and you're sending a solid 30KB/sec over port 25 for the last six days, then it's a good bet that you're either spamming or you're a zombie for a spammer. Either situation needs to get rectified quickly, and it shouldn't be hard for you to show that you do have a legitimate need for sending out all of that mail, if indeed you do.
You can never go home again... but I guess you can shop there.