Slashdot Mirror
FTC Recommends ISPs Disconnect Spam Zombies
Mike Markley writes "CNN is carrying a story about the the FTC's plans and concerns around spam zombies. They say they will be identifying such zombie hosts and notifying ISPs, and are recommending that the ISPs disconnect indicated users. There's also a recommendation likely to raise the ire of the geekier sorts: that ISPs only permit users to send mail through their own servers (presumably by blocking port 25 outbound)." From the article: "Law enforcers in 25 other countries, from Bulgaria to Peru, are also participating in the campaign, the FTC said. Absent from the list of cooperating countries was China, where experts say rapid growth and a relative lack of technical sophistication have led to a large number of zombie computers."
So nyah!
Oh. They just blocked tunnels, too. Shit.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Just leave 587 open. The 'geek' users should be smart enough to figure that out anyway.
Home users SHOULD be blocked or disconnected, one or the other. I don't actually care which, but as someone who watches mail queues for busy hosting servers, home users infected with viruses become a huge annoyance.
Video Phone Blogs send video messages straight to the web.
If this gets substantial traction, China will get it's collective shit together and do something about it. A few days of null-routing their traffic should do the trick.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
It's enough that I get spam from life people..
but now spam from the undead?
Comment removed based on user account deletion
1. Get fcc to 'advise' isps to block 25.
2. wait for futility among the geeks to set in.
3. set up vpn server for aforementioned geeks.
(real verified reg required)(paid service but
(Real Cheap)
4. profit!!!
any takers?
The truth about Led Zep should never be told on
Umm... how does sending to port 80 work? Or... have you configured your mail server to accept mail on port 80... and they're only sending to you?
Having worked for a university tech department that did this, I would have to say, I can't think of a better way to open peoples eyes to the threat of virii than to revoke their internet privilages.
"There are more important things than stopping terrorism. Upholding the Constitution is one of them." - Ars Forumer.
People use their broadband connections for phone and 911 services now -- cutting them off completely could literally cut them off from emergency services.
21st-Century-Citizen
I wouldn't mind to much, so long as you could opt out - just call up and say "I have half a clue what I'm doing" or "I'm not running a festering infected OS from Redmond".
...
I'm guessing most of the people who unwittingly harbour zombie machines wouldn't know wtf port 25 was anyway
Maybe a couple of basic networking questions to weed out the chancers?
Traffic to or from port 25 is dropped at my router. My external email provider gives me SMTP-TLS on a high port, so I lose nothing.
This means that even if a worm gets through the NAT and manages to infect my patched-to current AV-running machines, it can't do what 90% of them want to. Thus, when the patch/AV database update arrives and kills it, I know I've not contribued to the problem.
I guess today is a passable day to die.
That ISPs only permit users to send mail through their own servers (presumably by blocking port 25 outbound)
My ISP doesn't block 25 outgoing but a few spam blacklists have my IP range on their "DSL/Cable/Dialup" listings so I send mail from my internal server through the ISP.
The result? No more "You're on a dynamic IP" bounce messages.
Trolling is a art,
that ISPs only permit users to send mail through their own servers
I am a geekier sort, and this pisses me off. At the same time I'm kinda glad. I only really use my ISP mail server for everything. They relay on even if my From: address is set to something other than my ISP-provided email address.
Anything to bring the amount of SPAM down is good in my books. Even if it means a slight loss of accessibility to other mail servers... That said, SMTP has authorisation capabilities now. They should rethink the blanket block and block only those SMTP servers that don't force authorisation to send mail. At least that way you'd need an account on it to send mail.
I drink to make other people interesting!
You mean like this list of machines logged on my company's mailserver last night?
My ISP blochs port 25 outbound, forcing me to use their mail servers. When I am traveling and connected with a different ISP, I have to go into my email program's (Thunderbird) settings and change the outbound server (or not send mail). Also, what if I had to send an urgent message and my ISP's servers were down (it hasn't happened, but it could).
The FTC should stick to trade, and leave the mismanagement of the Internet to the FCC. The FCC just ruled last week VOIP to tell their customers if they provide 911 access or not after a girl died because her mom couldn't call 911 on her VOIP phone.
It wont be long before someone dies because their newly 911 enabled VOIP phone was disconnected because their machine was suspected of being a spam zombie.
Here's Bob. Bob is your boss at a small to mid sized company. He's not what you'd call "technical". You're the company's "tech" guy. You also do other things, but when the computers don't work, you're the go-to guy. Your company isn't that large, or that technical itself, so you host your mail with your company's ISP, PhoneCo. When Bob goes home, however, his ISP at home is CableCo. Bob is perpetually calling you either at home, or into his office because he "damn well can't send that email!" Invariably, the reason is because his account is configured to the wrong SMTP server, depending on where he his located.
Wouldn't it be nice if you could just set up his account to use the company's ISP for SMTP all the time? You used to be able to do that, until the spineless CableCo decided they were just going to blanket-block port 25, no exceptions, instead of doing traffic analysis and chopping off the offenders. But that would take work, and effort, and nobody wants to do that, so just block 25 and call it a day!
Note: Some elements of this story might be based on real experiences, which may explain the negative bias towards blanket policies of any type as bandaids.
Well, it does have the drawback that nobody uses it anymore, but that does mean you never have to worry about your mailbox being flooded AND you get an excuse on why you didn't turn up to that important meeting that was called electronically.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Nope.
http://www.ietf.org/rfc/rfc2476.txt
This idea is to seperate 'a mailserver connecting to another mailserver to drop of mail that is addressed to a user at the destination server' from 'a user connecting to his own server, authenticating as such, and then dropping of outbound mail for that server to then send on to the final destination', and restrict the first to non-dynamic, non-'consumer', or any addresses where there isnt some reasonable expectation of a positively identifiable responsible party.
Spammers will have a lot harder time abusing the second, and will be easier to identify if and when they do.
What is it about all this nagging about China, Brazil et al, when the wast majority of spam still comes from the US? Not only are it sent from US based computers, zombies or otherwise. But the seller of the gods advertised are also in most cases US based.
Closing port 25 is pointless because the owners of the botnet already know to use the ISP's SMTP server, just like the victim does, to send mail. You won't really stop the spam or DDoS this way, you will just stop normal users from doing something that's easy and useful.
There's nothing difficult about running a mail server. Exim comes with debian and has reasonable default values set in a script that tells you what it's doing. It's no harder to run than it is to use a GUI client. There are many advantages to it as well, such as custom mail addresses for registrations and other junk.
Reducing redundancy is bad for national security. In the end, it's much easier to DDoS email by targeting two broadband providers than it is to target thousands of individual users with a clue. The setback will be temporary. As email dies as a useful communication media, Jabber and others will rise in it's place.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Yes, so you make sure you pick a clueful ISP that has MSA (RFC 2476) support, which uses port 587, then you set his mail client to use that, and it works fine both when hes in the office, or at home, regardless of port 25 restrictions wherever he's getting his connectivity from.
Since MSA requires him to *authenticate* (which most clients, even OE and ilk will do happily) when he connects on port 587, and the ISP only accepts *outbound* mail on that port (other ISP's wanting to delvier mail *to* your ISP still use 25) it isnt terribly attractive to spammers.
Find a buddy with a mail server and use it. Port 25? You should use port 22 to talk to your mail server from anywhere other than it's console. Seriously, if you want to tx&rx mail from wherever you are there are plenty of servers available to friends and friends of friends.
ISPs should block zombies. A simple auto-generated email aroused by traffic level and requesting an explanation should be sufficient. Blcok all except port 53and whatever the heck VOIP uses if there is no reply.
DNS cache stuffing is still a problem. Who needs an open proxy when you're a legal host?
A bounty on spammers perhaps? Outsource to Indonesia, Malaysia, Peru, Belarus, Ukraine, Pakistan, or any number of places.
Hell, my lawn guy in USA, and this is an honest to $deity(s) quote...
"Twenty dollah? TWENTY DOLLAH? I KEE a MAN FO TWENTY DOLLAH!"
Hardcore geek here, with a UID that's far lower than yours.
Don't block my outbound port 25.
Don't block my outbound ANYTHING.
Block me off completely when my machine hurts the internet by spamming/flooding/whathaveyou.
I'm so sick of this "Let's surrender our internet because of Microsoft" bullshit. I'm sick enough of it to burn karma by posting this crap that's going to get modded into oblivion.
Not all of us know someone with a well connected server. Not all of us want to post mail from somewhere other than our box. I know that my box is working and isn't logging what I'm sending somewhere else. I know that the government isn't reading my email logs. I know that my server is MY SERVER and that's THAT.
If you don't like it, go back to AOL. Then you can have your little closed interface, able to email all of your little friends who use the same closed interface, and get charged for what I can get for free. All I have to pay for is my connection, whereas you'll have to pay for every "value-added" service you use.
The previous has been a secret message to my comrades.
Why would there be conflicts? A TCP connection is defined by four things... source IP, source port, destination IP, destination port. So long as any one of those four things is different from all the other connections currently being handled by, well, anyone, then it's a unique connection and its not going to tread on any other's toes.
Getting a box to listen on port 80 for SMTP and HTTP is gonna be a little trickier, but I suspect that isn't what you're trying to do.
I find your ideas intriguing and I wish to subscribe to your newsletter.
Word.
... insert public safety campaign here ... is a bad idea.
Honestly, education starts with being burned. Its 2005 and we're still trying to convince people that driving without seatbelts or racing other commuters, or
It gains traction when folks who are spreading it are having their feet held to the fire.
I'm not being an elitist jerk, I'm sayin that owning a computer is as much a responsibility as any thing else in life. You own a car, you're responsible for what you do with it. If your car is blowing up regularly, you might want to seek a new manufacturer.
"Old man yells at systemd"
Let me make this clear to you and any other ISPs:
Fail to route your customers packets at your peril. Period.
I already dropped Adelphia cable and went to Speakeasy when they purposely stopped routing ICMP packets. I made the decision in about 3 seconds once I found out what they had done.
There are no bad ports or protocols, just bad people and programs. You'll have to deal with the problem directly not with bandaids if you want to keep your best customers.
That said, if you are a low end provider you don't really have any "good customers" so do whatever you feel like.
-- John.
If more and more major ISP's block port 25 outbound for their 'consumer grade' service, there will be less and less zombie spam from those networks. As more web and mailhosts come to grips with this (most already have, to be honest), they will ensure that they support MSA (RFC 2476), and those users that need to travel between connectivity providers will be setup to use it (only once, as it will also work when on onces 'home' network, no need to switch back and forth).
Mail that servers send to other servers, will still go via port 25, and in addition to other spam control measures, server admins wont have to deal with as many zombied wincrap boxes on $cableco or $telco/dsl networks.
Spammers can't use MSA to deliver mail to recipients, as 1. it requires authentication, and 2. it should be setup to only accept mail for outbound relay from authenticated users. Yes, there will be some cases of spammers hijacking MS email software, and using its saved passwords to send mail as that user through that users mail server, but that will be far easier to track down and squelch than the current situation of spam coming randomly from all over.
More comprehensive info at:
http://www.circleid.com/article/1039_0_1_0_C/
The 'better solution' you pine for has already existed for 7 years in RFC 2476, circa 1998. Hopefully more and more DSL/cableco's blocking of port 25 outbound will eventually lead to near-universal implementation of it.
http://www.ietf.org/rfc/rfc2476.txt
But there are better ones. I have just shy of 2 million broadband users on my network. Every day I have many customers who are detected as being infected. Automagically they are placed in a walled garden where the only page they can load tells them what is happening. Basically it tells them that they have been compromised. If we can determine the virus/trojan they are running, we give them a link to a locally stored method of corrrecting the problem. I have never received a complaint about it, but I have received hundreds of calls saying thank you.
I do have to question the FCC's thinking though. Most people who get infected are not of a technical nature. If you disconnect them from the net, they are at a loss of how to fix the issue. Obviously they don't have uptodate protection on their machine. if they go out and buy a brand new copy of whatever virus software, it will need to download the latest definitions, which they can;t do because you shut them off.
It reminds me of the mid 90's where if your ds3 to one of the 6 or so backbones went down they would send you an email to notify you. Or sending them a letter telling them you shut their phone off and telling to call you to get it turned back on.
Blocking port 25 would just about kill small business people that use a 3rd party hosting service for their webpages and email.
;)
It doesn't matter what SMTP server you send outgoing mail from (so long as it's not blacklisted) -- SMTP doesn't check domain names or anything (which is also really the reason spam can exist so easily).
I had a situation that was really annoying a few years ago. We were on DSL with the incumbant phone company, and used our own co-located server to send mail. One day, I could no longer connect to SMTP. Called them, of course teir 1 tech support says "no, nothing has changed". I wait for a while to see if it'll go away, then call them back a couple hours later. This time, the guy says that they noticed one router wasn't blocking 25, so they "fixed" it. I decided just to use their server, since it was an easy fix (make a DNS entry in the office only that points to their IP instead of ours).
This was fine for a couple months. Then one day, we couldn't send mail again. I tried to connect to their SMTP, and it would either timeout, or VERY slowly connect. I call them, and they say they're being hammered by viruses, and it'll be fixed soon. Within half an hour it was back to normal. This happened about 3 more times, and I got really annoyed. I called and asked them to remove the port 25 block (just for my account -- even to only my mail servers IP), because it was rediculus we couldn't send email. They said they couldn't, I'd just have to wait. Well, it was several hours and still not working, so I called again, and asked to speak to a manager or supervisor. Basically, same deal "no, we can't take off the block. Maybe you can use webmail". Although it would work, I didn't want to tell everyone to use webmail instead of their email clients just because of this. I called another ISP, asked them how long it would take to get me DSL (and made sure I could use my mail server), ordered it, and called my ISP back and set to get rid of their connection.
Of course, this started another rediculus series of events. The DSL remove order and DSL add order (that get filed by old and new ISPs, respectively) got "mixed up", and a couple days after moving to my new ISP the DSL signal was lost. An angry call to the phone co had it back within an hour (yet it somehow still takes 5 business days normally).
The old ISP also decided that we actually couldn't cancel when we did - we were on a 1yr contract, and had to pay 50% of 8 months service or something for cancelling early. We had been a customer for 3 years, and none of our bills for the past year said anything about a 1year contract. They also couldn't produce the contract -- not even an unsigned version. In subsequent calls, they claimed that it was a verbal contract yet couldn't name who had supposedly made it. Eventually months later, in an effort to get our local phone service back (we had switched to a CLEC many years ago), they decided to "credit" our account for the charges. Of course, we remained with the CLEC.
Anyway, that got a tad off topic, but I felt the need to vent. Stay away from the big phone companies
Speak before you think
My users are constantly travelling and plugging into God knows whose networks, and then calling me up and telling me they that our mail server is dead b/c they can't send e-mail. Why they always blame the local IT group first is beyond me... But anyway, it was invariably b/c port 25 was blocked.
Our solution was to create a recipe that they could follow to tunnel their SMTP connection over SSH to our SMTP server. Even your pointy-haired boss can follow it. Include screenshots and make sure to include copious amounts of blame on the hotel network and spammers.
If you're using Windows, you can use PuTTY and set up the forwarding tunnel beforehand too.
Whoever Has the Most Toys Wins!
Yep. ;->
I am Zeus, Seller of the Gods.
Opening bids up for Narcissus. He's in beautiful shape! Any takers for Narcissus? (Sorry, sir, but you cannot bid on yourself.)
What am I bid for this muse, Apollo? Anyone care to bid on Apollo? Slightly used, I'm letting him go for a paean.
We've got goddesses, too! Aphrodite is going fast! She always goes fast!
Oh, you meant "seller of the goods"? Never mind.
John
V-P-N. If they're that far up the tree what they're sending is probably confidential anyway.
Why?
The article is quite vague. But I really think that Reuters is misunderstanding the details here and creating this inclarity. The FTC is not so stupid as to block port 25.
/ index.htm
I immediately went to ftc.gov.
Here is a link to their actual press release:
http://ftc.gov/opa/2005/05/zombies.htm
They have a more detailed website at:
http://www.ftc.gov/bcp/conline/edcams/spam/zombie
This site appears to be geared for the people who actually understand what's going on. The very first bullet point on the site states very clearly:
"block port 25 except for the outbound SMTP requirements of authenticated users of mail servers designed for client traffic. Explore implementing Authenticated SMTP on port 587 for clients who must operate outgoing mail servers."
In other words, under their proposal, can still send emails so long as we are authenticating to an SMTP server.
We can use our College email, our Google, Yahoo, etc. accounts.
This is how I interpret their idea:
- You want to send email? Connect to an SMTP server and log on.
- Incoming traffic is not interfered with.
- If you send SMTP traffic directly from your computer to someone else's computer, this is blocked.
I'm not sure exactly how one would implement this because one cannot know every "legitimate" mail server. Further, ISP's will not (should not) be scanning all of our SMTP packets to see what kind of traffic is coming from our computers. The easiest solution is something already in place, although it annoys me. I can still send SMTP from my computer (RoadRunner ISP, New York City) but if I send to an AOL user, for example, I get a reply back from AOL explaining that AOL will not accept emails from a Residential IP address. This is irritating, but it's no bother. Simply have all the ISP's say, these IP blocks are for our residential customers --- if you get email from them, it's probably a spam zombie, so you may wish to block such SMTP traffic if it becomes a bother.
I'm not proposing anything, just trying to piece together what the FTC is actually saying. Trust me, they're not so clueless; it's usually the papers, especially in these generic wire reports, that mess up the details.
The FTC is most certainly _not_ recommending that all port 25 traffic is blocked; they are not limiting anyone to their ISP's mail servers.How would the FTC people log in to their own FTC email from their homes? They'd have the same issues we'd have.
Anyway, since I *never* use my ISP mail server (mostly because Google is faster, has more storage, and is easier to access when I don't feel like carrying my laptop around; and because for professional stuff I tell people to contact me @honorscollege.cuny.edu (even though I SMTP back through Google).
Though less technical, I'm sure, most professional people require such a setup. Think things through. I see so many posts regarding outright and absolute SMTP / Port 25 blocking. That's too ridiculous to believe. Indeed, it's not even close to what the FTC actually says, as I cite above.
Read their site if you still have your doubts. Let it be said, however, that the government is not as stupid as some would like to believe.
Many ISP's offer a cd that you use to setup your services.
Why not have built in software (firewall) that by default blocks port 25, and port 80 (inbound) irc in/out etc, and make the customer need to specifically allow those ports if they want them open.
That way, the 99% of the customers who never use those ports will have cleaner or safer machines, while the people who do run their own servers have the ability to use them.
TruePunk | Games
Blocking port 25 would just about kill small business people that use a 3rd party hosting service for their webpages and email.
Running an MTA is serious business these days. It's not just about blocking VRFY and ETRN. I'm battling bounce attacks, attacks on postmaster and make-baby-jesus-cry brute force attacks which are:
1. Difficult to stop.
2. Apparently increasing in popularity.
We process a bit over 100K emails/day. We reject about 15K emails/day.
Are these small businesses going to try to address this problem with the same rigour as a professional? No, they are not. They are going to do the *bare minimum* to get/keep the MTA working and it's going to become another tool for spammers.
If you have a static IP, your own domain configured (forward and reverse) and you are very capable of configuring ACLs on an MTA then you may be OK but you'll be like me: constantly looking for new ways of calming the storm of shit. Otherwise you're just going to become part of the problem.
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"
Rather than blocking port 25, progressive and user-friendly ISPs (does such a thing exist?) would be well served to simply throttle port 25. By exponentially dropping the available bandwidth to that port as traffic on it increases from a particular host, the zombie problem can be for the most part eliminated while not unduly penalizing legitimate senders of email.
Blocking port 25 just shifts the problem around. With port 25 blocked, zombie owners are forced to use the ISP's outgoing mail servers. If throttling is intelligently applied to all port 25 traffic on a per-host basis, the feasibility of zombie spamming drops off.
Put it this way: Which would you prefer: having one of your customers blacklisted as a result of spamming, or having ALL of your customers blacklisted as a result of your own mail servers spamming...?
The OpenBSD team is working on a transparent traffic shaping proxy that will make magic like this trivial for the pf priesthood. IMHO this is yet another reason to support that excellent project by buying a CD or T-shirt.
Forcing your mail to go thru my mailserver when it originates on my network is within my rights as a network operator. Please feel free to sign up with another provider that doesn;t care if you spam. Of course, then you may not be able to send mail to anyone as you will be blacklisted, but at least you'll be free!
What you fail to see is that people who are paying for high speed buisness accounts because they have a network at the house pay your company. Without income your company goes out of buisness
Spamer? Get a grip. Not everyone with a email server is a spamer. I have a right to do as I please as long as I hurt no one, and PAY the bill each month.
I do not run an open relay. I do not send spam. I pay for the internet access. I should have the right to do whatever I want. That includes sending email using my domain. You know that bill I pay someone for each year?
While not a constitutional right the idea that freedoms given away to get a little security. Are still freedoms given away. You will be no safer because someone blocks my ports. You will have taken away options. The next time someone wants to block a port it will be easy.
Whats next, blocking everything but port 80? You dont need bit torrent, thats to steal copyrighted movies. You dont need port 1412, DC++ is for trading illegel copyrighted songs. You dont need port 6667, dont use Mirc chat with a browser interface.
Nice thing about compitition. There isnt just one broadband provider. Maybe if enough people paying for the 6mbps accounts change providers and give the reason "you are restricting me" it will change thier mind.
After all if I couldnt do as I please do you think Id pay for a premuim for a high speed account?
I trust Microsoft as far as I could comfortably spit a dead rat
Roadrunner, by contrast, doesn't do this. This is why I subscribe to their service now and dropped Mindspring.
Email I send goes over my LAN to my SMTP server, which then handles sending it out. 99% of the time I don't have a problem. When I do, it's usually for some shit like AOL or sending mail _to_ Earthlink or Mindspring, at which point they get a complaint email (whcih they of course ignore), and then a bunch of enraged calls from their customers (who don't understand the entire thing) saying that the ISP's email reception is broken (which it _is_). This wastes their time dealing with their enraged customers. If they don't like it, they can fix their fucking systems.
Of course, I could set a smart host to my ISP's mail server, which solves the problem, but grants me the problem I pointed out in the first paragraph.
If ISPs are going to block outgoing port 25 and effectively break the net that way, then they need to FIX THEIR FUCKING SMTP SERVERS FIRST. If they would do that, then I wouldn't give a rat's ass what the fuck they do aside from the principle of the thing.
All of this evades solving the real problem. The real solution is to filter spam using something like Spamassassin and, because that's a drain on resources, block the originating SMTP host automatically (and send an email to the technical contact) when X number of spams are received from the same IP address. When Y number of spams are received from an ISP, block that entire ISP. The IP mappings are available or, at least, could be made available. Then the ISP's resources are only tapped up to X (or Y) number of spams. This blocks zombies, but is a stopgap solution. The real solution lies with the originating ISP, which needs to map that back to an account and cut that account off. After that, the originating ISP which was used can send a bill back to the user and turn them into the FTC for violating anti-spam legislation. All this, of course, with forced banning of ISPs running zombies.
This, in turn, puts pressure on Micro$hit to fix their fucking operating system, and on users to keep their systems up to date.
Now the simplest solution? Wait for it, it's mind-numbingly simple. If you're going to block port 25, ALL ISPs should allow opening of port 25 with a no-questions-asked phone call with the understanding that if it's caught sending spam then, after a human review, the account will be cut off.
Hardcore geek here, with a UID that's far lower than yours.
You're allegedly a hardcore geek, but you're whining about the fact that people on consumer-grade internet connections are treated like consumers?
Really, if you want to get treated like the big swinging dick you apparently think you are, you should probably get a real internet connection. Go get yourself a T1 or a colocated server. Or both. Christ, I know people who get hundred-megabit pipes for their hobby projects; if you can't afford the few hundred bucks a month for a home T1, or the $70 bucks a month for a real ISP's DSL, then you should scrape together the $20 per month for a fractional colocated server and run your own mailserver.
Otherwise we may have to take away your ridiculously low UID and give it to somebody more deserving.
I think the legitimate question is "should a consumer expect full freedom to engage in potentially risky behavior from a consumer-grade ISP service?" I think the answer is, VERY unfortunately, no. If you want to have greater freedom (e.g., running your own network services, having unrestricted outbound SMTP, etc.), then you should seriously consider colocation. Paul Vixie has been nice enough to catalog many places all across the US and a few places internationally where you can get a box (or virtual vmware box) hosted for relatively cheap: Personal Co-location Registry