Slashdot Mirror
FTC Recommends ISPs Disconnect Spam Zombies
Mike Markley writes "CNN is carrying a story about the the FTC's plans and concerns around spam zombies. They say they will be identifying such zombie hosts and notifying ISPs, and are recommending that the ISPs disconnect indicated users. There's also a recommendation likely to raise the ire of the geekier sorts: that ISPs only permit users to send mail through their own servers (presumably by blocking port 25 outbound)." From the article: "Law enforcers in 25 other countries, from Bulgaria to Peru, are also participating in the campaign, the FTC said. Absent from the list of cooperating countries was China, where experts say rapid growth and a relative lack of technical sophistication have led to a large number of zombie computers."
Problem solved, and everybody wins.
Check out my sci-fi/humor trilogy at PatriotsBooks.
I wouldn't mind to much, so long as you could opt out - just call up and say "I have half a clue what I'm doing" or "I'm not running a festering infected OS from Redmond".
...
I'm guessing most of the people who unwittingly harbour zombie machines wouldn't know wtf port 25 was anyway
Maybe a couple of basic networking questions to weed out the chancers?
The proper solution is to only let MTAs communicate via port 25, and to use 587 as it was intended, for MUAs. Stick SMTP Auth on port 587, and you're on your way. The only downside to this is if the worm authors start using the MUA (by this I mean Outlook Express in particular) to send email. I suspect that most users aren't really aware enough to notice a dozen messages they didn't write flying out of their Outbox.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Start out with port 25 blocked. When the user calls to complain, unblock it on a per-user basis. People who need port 25 unblocked know enough to request it, and there's no valid excuse for denying it.
Internet provider SBC has already been doing this for months. Not that I am trying to smear SBC's name, but some users claimed at the time that the block on port 25 was implemented without notice.
My ISP blochs port 25 outbound, forcing me to use their mail servers. When I am traveling and connected with a different ISP, I have to go into my email program's (Thunderbird) settings and change the outbound server (or not send mail). Also, what if I had to send an urgent message and my ISP's servers were down (it hasn't happened, but it could).
The FTC should stick to trade, and leave the mismanagement of the Internet to the FCC. The FCC just ruled last week VOIP to tell their customers if they provide 911 access or not after a girl died because her mom couldn't call 911 on her VOIP phone.
It wont be long before someone dies because their newly 911 enabled VOIP phone was disconnected because their machine was suspected of being a spam zombie.
Here's Bob. Bob is your boss at a small to mid sized company. He's not what you'd call "technical". You're the company's "tech" guy. You also do other things, but when the computers don't work, you're the go-to guy. Your company isn't that large, or that technical itself, so you host your mail with your company's ISP, PhoneCo. When Bob goes home, however, his ISP at home is CableCo. Bob is perpetually calling you either at home, or into his office because he "damn well can't send that email!" Invariably, the reason is because his account is configured to the wrong SMTP server, depending on where he his located.
Wouldn't it be nice if you could just set up his account to use the company's ISP for SMTP all the time? You used to be able to do that, until the spineless CableCo decided they were just going to blanket-block port 25, no exceptions, instead of doing traffic analysis and chopping off the offenders. But that would take work, and effort, and nobody wants to do that, so just block 25 and call it a day!
Note: Some elements of this story might be based on real experiences, which may explain the negative bias towards blanket policies of any type as bandaids.
Are you going to refund the money they paid for the 'net connection for that time too? I agree that a network connection is not a right but a privilege, but at the same time, they're still paying for that privilege, what gives you the right to take their money and give nothing in return?
Game! - Where the stick is mightier than the sword!
What is it about all this nagging about China, Brazil et al, when the wast majority of spam still comes from the US? Not only are it sent from US based computers, zombies or otherwise. But the seller of the gods advertised are also in most cases US based.
Closing port 25 is pointless because the owners of the botnet already know to use the ISP's SMTP server, just like the victim does, to send mail. You won't really stop the spam or DDoS this way, you will just stop normal users from doing something that's easy and useful.
There's nothing difficult about running a mail server. Exim comes with debian and has reasonable default values set in a script that tells you what it's doing. It's no harder to run than it is to use a GUI client. There are many advantages to it as well, such as custom mail addresses for registrations and other junk.
Reducing redundancy is bad for national security. In the end, it's much easier to DDoS email by targeting two broadband providers than it is to target thousands of individual users with a clue. The setback will be temporary. As email dies as a useful communication media, Jabber and others will rise in it's place.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Exactly why isps should:
1. use static dhcp.
2. tie the ip address to the modem/account
3. cap the outbound bandwidth (like they already
do)
4. let anyone run a server.
Personal responsibility shouldn't end at your modem.
It doesn't end at your door.
The truth about Led Zep should never be told on
Hardcore geek here, with a UID that's far lower than yours.
Don't block my outbound port 25.
Don't block my outbound ANYTHING.
Block me off completely when my machine hurts the internet by spamming/flooding/whathaveyou.
I'm so sick of this "Let's surrender our internet because of Microsoft" bullshit. I'm sick enough of it to burn karma by posting this crap that's going to get modded into oblivion.
Not all of us know someone with a well connected server. Not all of us want to post mail from somewhere other than our box. I know that my box is working and isn't logging what I'm sending somewhere else. I know that the government isn't reading my email logs. I know that my server is MY SERVER and that's THAT.
If you don't like it, go back to AOL. Then you can have your little closed interface, able to email all of your little friends who use the same closed interface, and get charged for what I can get for free. All I have to pay for is my connection, whereas you'll have to pay for every "value-added" service you use.
The previous has been a secret message to my comrades.
Word.
... insert public safety campaign here ... is a bad idea.
Honestly, education starts with being burned. Its 2005 and we're still trying to convince people that driving without seatbelts or racing other commuters, or
It gains traction when folks who are spreading it are having their feet held to the fire.
I'm not being an elitist jerk, I'm sayin that owning a computer is as much a responsibility as any thing else in life. You own a car, you're responsible for what you do with it. If your car is blowing up regularly, you might want to seek a new manufacturer.
"Old man yells at systemd"
Anybody smart enough to get around port 25 blocking is probably smart enough to not get his machine owned by spammers... Yes, all ISPs should block port 25 by default, and only open it up for customers that specifically request it (and probably should charge those customers more). But then, I'm certainly not the first person to suggest this.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
If more and more major ISP's block port 25 outbound for their 'consumer grade' service, there will be less and less zombie spam from those networks. As more web and mailhosts come to grips with this (most already have, to be honest), they will ensure that they support MSA (RFC 2476), and those users that need to travel between connectivity providers will be setup to use it (only once, as it will also work when on onces 'home' network, no need to switch back and forth).
Mail that servers send to other servers, will still go via port 25, and in addition to other spam control measures, server admins wont have to deal with as many zombied wincrap boxes on $cableco or $telco/dsl networks.
Spammers can't use MSA to deliver mail to recipients, as 1. it requires authentication, and 2. it should be setup to only accept mail for outbound relay from authenticated users. Yes, there will be some cases of spammers hijacking MS email software, and using its saved passwords to send mail as that user through that users mail server, but that will be far easier to track down and squelch than the current situation of spam coming randomly from all over.
More comprehensive info at:
http://www.circleid.com/article/1039_0_1_0_C/
I use static IP's with DHCP. DHCP also configures the nameserver and default gateway of the client, even while giving them back the same IP. Keeps one from having to push this info out to machines, keeps users from believing their IP is static Now And Forever Amen, and it transfers nicely when the machine does end up on a dynamic IP network.
"Static DHCP" still sounds a little odd.
V-P-N. If they're that far up the tree what they're sending is probably confidential anyway.
Why?
Why not charge those who are causing the problems a fine? I run my own mail server on a co-located server, there is no reason I should have to pay extra to connect to it.
I find it hard to believe the person at the isp does anything different when finding the user of a static ip compared to a dynamic ip. They would just enter the ip and time and get back the users details.
Finding the user of an ip must happen often enough that they already have automated tools to do the job.
Users causing trouble and needing to be identified isn't exactly a new or uncommon problem.
Blocking port 25 would just about kill small business people that use a 3rd party hosting service for their webpages and email.
Running an MTA is serious business these days. It's not just about blocking VRFY and ETRN. I'm battling bounce attacks, attacks on postmaster and make-baby-jesus-cry brute force attacks which are:
1. Difficult to stop.
2. Apparently increasing in popularity.
We process a bit over 100K emails/day. We reject about 15K emails/day.
Are these small businesses going to try to address this problem with the same rigour as a professional? No, they are not. They are going to do the *bare minimum* to get/keep the MTA working and it's going to become another tool for spammers.
If you have a static IP, your own domain configured (forward and reverse) and you are very capable of configuring ACLs on an MTA then you may be OK but you'll be like me: constantly looking for new ways of calming the storm of shit. Otherwise you're just going to become part of the problem.
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"
Rather than blocking port 25, progressive and user-friendly ISPs (does such a thing exist?) would be well served to simply throttle port 25. By exponentially dropping the available bandwidth to that port as traffic on it increases from a particular host, the zombie problem can be for the most part eliminated while not unduly penalizing legitimate senders of email.
Blocking port 25 just shifts the problem around. With port 25 blocked, zombie owners are forced to use the ISP's outgoing mail servers. If throttling is intelligently applied to all port 25 traffic on a per-host basis, the feasibility of zombie spamming drops off.
Put it this way: Which would you prefer: having one of your customers blacklisted as a result of spamming, or having ALL of your customers blacklisted as a result of your own mail servers spamming...?
The OpenBSD team is working on a transparent traffic shaping proxy that will make magic like this trivial for the pf priesthood. IMHO this is yet another reason to support that excellent project by buying a CD or T-shirt.
Roadrunner, by contrast, doesn't do this. This is why I subscribe to their service now and dropped Mindspring.
Email I send goes over my LAN to my SMTP server, which then handles sending it out. 99% of the time I don't have a problem. When I do, it's usually for some shit like AOL or sending mail _to_ Earthlink or Mindspring, at which point they get a complaint email (whcih they of course ignore), and then a bunch of enraged calls from their customers (who don't understand the entire thing) saying that the ISP's email reception is broken (which it _is_). This wastes their time dealing with their enraged customers. If they don't like it, they can fix their fucking systems.
Of course, I could set a smart host to my ISP's mail server, which solves the problem, but grants me the problem I pointed out in the first paragraph.
If ISPs are going to block outgoing port 25 and effectively break the net that way, then they need to FIX THEIR FUCKING SMTP SERVERS FIRST. If they would do that, then I wouldn't give a rat's ass what the fuck they do aside from the principle of the thing.
All of this evades solving the real problem. The real solution is to filter spam using something like Spamassassin and, because that's a drain on resources, block the originating SMTP host automatically (and send an email to the technical contact) when X number of spams are received from the same IP address. When Y number of spams are received from an ISP, block that entire ISP. The IP mappings are available or, at least, could be made available. Then the ISP's resources are only tapped up to X (or Y) number of spams. This blocks zombies, but is a stopgap solution. The real solution lies with the originating ISP, which needs to map that back to an account and cut that account off. After that, the originating ISP which was used can send a bill back to the user and turn them into the FTC for violating anti-spam legislation. All this, of course, with forced banning of ISPs running zombies.
This, in turn, puts pressure on Micro$hit to fix their fucking operating system, and on users to keep their systems up to date.
Now the simplest solution? Wait for it, it's mind-numbingly simple. If you're going to block port 25, ALL ISPs should allow opening of port 25 with a no-questions-asked phone call with the understanding that if it's caught sending spam then, after a human review, the account will be cut off.
Hardcore geek here, with a UID that's far lower than yours.
You're allegedly a hardcore geek, but you're whining about the fact that people on consumer-grade internet connections are treated like consumers?
Really, if you want to get treated like the big swinging dick you apparently think you are, you should probably get a real internet connection. Go get yourself a T1 or a colocated server. Or both. Christ, I know people who get hundred-megabit pipes for their hobby projects; if you can't afford the few hundred bucks a month for a home T1, or the $70 bucks a month for a real ISP's DSL, then you should scrape together the $20 per month for a fractional colocated server and run your own mailserver.
Otherwise we may have to take away your ridiculously low UID and give it to somebody more deserving.
I don't like the idea that my isp could arbitrarily block certain ports from being used. I don't need a nanny. I know I'm not typical in this sense, maybe among the slashdot crowd I am, but you gotta ask yourself where do they draw the line? So they start blocking 25 on major isps so all the morans [sic] that got owned can't be used to spam. But how easy would it be for these zombie creators to worm their way around a blocked port? How easy would it be for the zombies' masters to not use the zombies for spam, but for DDOS instead...
Blocking the port at the isp really wouldn't solve anything. Those that don't need the "protection" would be restricted in their net use, and those zombies would most likely just get updated to zombie 2.0 that works around the blocked port.
We need people to LEARN how to use their computers. That would be the ideal solution to most technical problems. But simply blocking access to something (a port especially) isn't going to solve anything.
You're nothing; like me.
In other words, the customer is just as capable of stopping anything from attacking the Internet from their machine as they are capable of fastening a seatbelt or checking their tire pressures. Sure, it's "extra work" - so are the two above examples, but people are still expected to do them and can be penalized for failing to do so if, in the process, they cause injury to others.
So, we already have the idea in society. It isn't anything new or revolutionary. It is merely an extension of those parts of our day-to-day routine that involve a little awareness and a little respect. And those customers unwilling to do either, just because the other person isn't physically there, should have to pay some sort of price to offset that.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Actually, although I've not read the article, personally your description of what you do (divert all traffic to a set page) meets my definition of "disconnected from the net".
The user's PC can still connect to a small area of the ISP's network, but not to The Internet - surely that counts? (It's also a far better solution than just killing their connection completely, as you say)
It's official. Most of you are morons.
Both of these concepts have a potential flaw. Burden of Proof.
If someone is using my email address for fraudulent headers to make it appear that I am sending the spam, is that sufficient for them to shut me down? Do I have to prove that the email which I do not have a copy of, did indeed not come from me?
Based on how ISP's have behaved in the past, they would be more likely to arbitrarily shut someone down because their either triggered a spam filter erroniously (false positive) or got their email address put into the spam headers.
I do not agree that there should be a nominal fee applied to someone who is hosting their own mail server. On the contrary I should be getting refund on the basis of lower costs are realized against my account since I have zero email disk usage on their servers and have fewer help desk calls. The uber-geek types only need to call the ISP when the connection is down or blocked.
If a spam-bot appears that blocks the local POP and IMAP ports and notifies users with a message saying "You cannot recieve email because your ISP is blocking port 25 -- call and request that they unblock it", chances are that the helpdesk will soon be asking the right questions to figure out whether the user is infected with a common virus or not. Sure, helpdesk people may not always be that experienced themselves, but they can usually follow procedures.
The Customers that buy your pills may agree... but what about the countless OTHER people that don't buy your pill?
Why should they/I have to put up with your garbage?
The vast majority of emails don't result in buys. It's the small percentage of sales per emails sent that spam results in that keeps the spam rolling in AND motivates a spammer send out more and more AND MORE garbage.
1 person out of 100 buys an item thru an email - all of a sudden that email isn't NOT spam. Thats just proof positive that there are STILL people out there that don't know that supporting the 'system' is only gonna make it worse.