Slashdot Mirror
FTC Recommends ISPs Disconnect Spam Zombies
Mike Markley writes "CNN is carrying a story about the the FTC's plans and concerns around spam zombies. They say they will be identifying such zombie hosts and notifying ISPs, and are recommending that the ISPs disconnect indicated users. There's also a recommendation likely to raise the ire of the geekier sorts: that ISPs only permit users to send mail through their own servers (presumably by blocking port 25 outbound)." From the article: "Law enforcers in 25 other countries, from Bulgaria to Peru, are also participating in the campaign, the FTC said. Absent from the list of cooperating countries was China, where experts say rapid growth and a relative lack of technical sophistication have led to a large number of zombie computers."
Just leave 587 open. The 'geek' users should be smart enough to figure that out anyway.
Home users SHOULD be blocked or disconnected, one or the other. I don't actually care which, but as someone who watches mail queues for busy hosting servers, home users infected with viruses become a huge annoyance.
Video Phone Blogs send video messages straight to the web.
Comment removed based on user account deletion
Having worked for a university tech department that did this, I would have to say, I can't think of a better way to open peoples eyes to the threat of virii than to revoke their internet privilages.
"There are more important things than stopping terrorism. Upholding the Constitution is one of them." - Ars Forumer.
People use their broadband connections for phone and 911 services now -- cutting them off completely could literally cut them off from emergency services.
21st-Century-Citizen
I wouldn't mind to much, so long as you could opt out - just call up and say "I have half a clue what I'm doing" or "I'm not running a festering infected OS from Redmond".
...
I'm guessing most of the people who unwittingly harbour zombie machines wouldn't know wtf port 25 was anyway
Maybe a couple of basic networking questions to weed out the chancers?
Traffic to or from port 25 is dropped at my router. My external email provider gives me SMTP-TLS on a high port, so I lose nothing.
This means that even if a worm gets through the NAT and manages to infect my patched-to current AV-running machines, it can't do what 90% of them want to. Thus, when the patch/AV database update arrives and kills it, I know I've not contribued to the problem.
I guess today is a passable day to die.
That ISPs only permit users to send mail through their own servers (presumably by blocking port 25 outbound)
My ISP doesn't block 25 outgoing but a few spam blacklists have my IP range on their "DSL/Cable/Dialup" listings so I send mail from my internal server through the ISP.
The result? No more "You're on a dynamic IP" bounce messages.
Trolling is a art,
You mean like this list of machines logged on my company's mailserver last night?
dear brain owner,
compliments of the season to you. I am Barrister Urrrrrrrrrrrr Guurrrrrrrr. I represent Rrrrrrrr Rrrrrrrrrr, son of the late gen. Rrrrrrr Urrrrrrrgh, who was the former military head of state in Transylvania. he died in 1312. since his death, the family has been losing a lot of money due to vindictive church officials who are bent on dealing with the family. based on this therefore, the family has asked me to seek for a foreign partner who can work with us as to move out the total sum of us$75,000,000.00 ( seventy five million united states dollars ) in gold, presently in their possession. this money was of course, acquired by the late president and is now kept secretly by the family. the Swiss government froze all the accounts of the family in Switzerland in 1571, and some other countries would soon follow to do the same. This bid by some government officials to deal with this family has made it necessary that we seek your assistance in receiving this money and in investing it on behalf of the family.
This must be a joint venture transaction and we must all work together. since this money is very heavy, extra security measures have been taken to protect it from theft or seizure, pending when agreement is reached on when and how to move it into any of your nominated bank accounts. please contact me so we can arrange to meet you at a graveyard of your convenience in the Transylvania area to complete the transaction. as it is in a rather large box, please bring a chainsaw to assist in cutting it open.
Note: Please send your reply through (Urrrrrrrrrrrr.Guurrrrrrrr@sco.com)
All we want to do is eat your brains.
Here's Bob. Bob is your boss at a small to mid sized company. He's not what you'd call "technical". You're the company's "tech" guy. You also do other things, but when the computers don't work, you're the go-to guy. Your company isn't that large, or that technical itself, so you host your mail with your company's ISP, PhoneCo. When Bob goes home, however, his ISP at home is CableCo. Bob is perpetually calling you either at home, or into his office because he "damn well can't send that email!" Invariably, the reason is because his account is configured to the wrong SMTP server, depending on where he his located.
Wouldn't it be nice if you could just set up his account to use the company's ISP for SMTP all the time? You used to be able to do that, until the spineless CableCo decided they were just going to blanket-block port 25, no exceptions, instead of doing traffic analysis and chopping off the offenders. But that would take work, and effort, and nobody wants to do that, so just block 25 and call it a day!
Note: Some elements of this story might be based on real experiences, which may explain the negative bias towards blanket policies of any type as bandaids.
Closing port 25 is pointless because the owners of the botnet already know to use the ISP's SMTP server, just like the victim does, to send mail. You won't really stop the spam or DDoS this way, you will just stop normal users from doing something that's easy and useful.
There's nothing difficult about running a mail server. Exim comes with debian and has reasonable default values set in a script that tells you what it's doing. It's no harder to run than it is to use a GUI client. There are many advantages to it as well, such as custom mail addresses for registrations and other junk.
Reducing redundancy is bad for national security. In the end, it's much easier to DDoS email by targeting two broadband providers than it is to target thousands of individual users with a clue. The setback will be temporary. As email dies as a useful communication media, Jabber and others will rise in it's place.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Yes, so you make sure you pick a clueful ISP that has MSA (RFC 2476) support, which uses port 587, then you set his mail client to use that, and it works fine both when hes in the office, or at home, regardless of port 25 restrictions wherever he's getting his connectivity from.
Since MSA requires him to *authenticate* (which most clients, even OE and ilk will do happily) when he connects on port 587, and the ISP only accepts *outbound* mail on that port (other ISP's wanting to delvier mail *to* your ISP still use 25) it isnt terribly attractive to spammers.
Hardcore geek here, with a UID that's far lower than yours.
Don't block my outbound port 25.
Don't block my outbound ANYTHING.
Block me off completely when my machine hurts the internet by spamming/flooding/whathaveyou.
I'm so sick of this "Let's surrender our internet because of Microsoft" bullshit. I'm sick enough of it to burn karma by posting this crap that's going to get modded into oblivion.
Not all of us know someone with a well connected server. Not all of us want to post mail from somewhere other than our box. I know that my box is working and isn't logging what I'm sending somewhere else. I know that the government isn't reading my email logs. I know that my server is MY SERVER and that's THAT.
If you don't like it, go back to AOL. Then you can have your little closed interface, able to email all of your little friends who use the same closed interface, and get charged for what I can get for free. All I have to pay for is my connection, whereas you'll have to pay for every "value-added" service you use.
The previous has been a secret message to my comrades.
But there are better ones. I have just shy of 2 million broadband users on my network. Every day I have many customers who are detected as being infected. Automagically they are placed in a walled garden where the only page they can load tells them what is happening. Basically it tells them that they have been compromised. If we can determine the virus/trojan they are running, we give them a link to a locally stored method of corrrecting the problem. I have never received a complaint about it, but I have received hundreds of calls saying thank you.
I do have to question the FCC's thinking though. Most people who get infected are not of a technical nature. If you disconnect them from the net, they are at a loss of how to fix the issue. Obviously they don't have uptodate protection on their machine. if they go out and buy a brand new copy of whatever virus software, it will need to download the latest definitions, which they can;t do because you shut them off.
It reminds me of the mid 90's where if your ds3 to one of the 6 or so backbones went down they would send you an email to notify you. Or sending them a letter telling them you shut their phone off and telling to call you to get it turned back on.
Blocking port 25 would just about kill small business people that use a 3rd party hosting service for their webpages and email.
;)
It doesn't matter what SMTP server you send outgoing mail from (so long as it's not blacklisted) -- SMTP doesn't check domain names or anything (which is also really the reason spam can exist so easily).
I had a situation that was really annoying a few years ago. We were on DSL with the incumbant phone company, and used our own co-located server to send mail. One day, I could no longer connect to SMTP. Called them, of course teir 1 tech support says "no, nothing has changed". I wait for a while to see if it'll go away, then call them back a couple hours later. This time, the guy says that they noticed one router wasn't blocking 25, so they "fixed" it. I decided just to use their server, since it was an easy fix (make a DNS entry in the office only that points to their IP instead of ours).
This was fine for a couple months. Then one day, we couldn't send mail again. I tried to connect to their SMTP, and it would either timeout, or VERY slowly connect. I call them, and they say they're being hammered by viruses, and it'll be fixed soon. Within half an hour it was back to normal. This happened about 3 more times, and I got really annoyed. I called and asked them to remove the port 25 block (just for my account -- even to only my mail servers IP), because it was rediculus we couldn't send email. They said they couldn't, I'd just have to wait. Well, it was several hours and still not working, so I called again, and asked to speak to a manager or supervisor. Basically, same deal "no, we can't take off the block. Maybe you can use webmail". Although it would work, I didn't want to tell everyone to use webmail instead of their email clients just because of this. I called another ISP, asked them how long it would take to get me DSL (and made sure I could use my mail server), ordered it, and called my ISP back and set to get rid of their connection.
Of course, this started another rediculus series of events. The DSL remove order and DSL add order (that get filed by old and new ISPs, respectively) got "mixed up", and a couple days after moving to my new ISP the DSL signal was lost. An angry call to the phone co had it back within an hour (yet it somehow still takes 5 business days normally).
The old ISP also decided that we actually couldn't cancel when we did - we were on a 1yr contract, and had to pay 50% of 8 months service or something for cancelling early. We had been a customer for 3 years, and none of our bills for the past year said anything about a 1year contract. They also couldn't produce the contract -- not even an unsigned version. In subsequent calls, they claimed that it was a verbal contract yet couldn't name who had supposedly made it. Eventually months later, in an effort to get our local phone service back (we had switched to a CLEC many years ago), they decided to "credit" our account for the charges. Of course, we remained with the CLEC.
Anyway, that got a tad off topic, but I felt the need to vent. Stay away from the big phone companies
Speak before you think
The article is quite vague. But I really think that Reuters is misunderstanding the details here and creating this inclarity. The FTC is not so stupid as to block port 25.
/ index.htm
I immediately went to ftc.gov.
Here is a link to their actual press release:
http://ftc.gov/opa/2005/05/zombies.htm
They have a more detailed website at:
http://www.ftc.gov/bcp/conline/edcams/spam/zombie
This site appears to be geared for the people who actually understand what's going on. The very first bullet point on the site states very clearly:
"block port 25 except for the outbound SMTP requirements of authenticated users of mail servers designed for client traffic. Explore implementing Authenticated SMTP on port 587 for clients who must operate outgoing mail servers."
In other words, under their proposal, can still send emails so long as we are authenticating to an SMTP server.
We can use our College email, our Google, Yahoo, etc. accounts.
This is how I interpret their idea:
- You want to send email? Connect to an SMTP server and log on.
- Incoming traffic is not interfered with.
- If you send SMTP traffic directly from your computer to someone else's computer, this is blocked.
I'm not sure exactly how one would implement this because one cannot know every "legitimate" mail server. Further, ISP's will not (should not) be scanning all of our SMTP packets to see what kind of traffic is coming from our computers. The easiest solution is something already in place, although it annoys me. I can still send SMTP from my computer (RoadRunner ISP, New York City) but if I send to an AOL user, for example, I get a reply back from AOL explaining that AOL will not accept emails from a Residential IP address. This is irritating, but it's no bother. Simply have all the ISP's say, these IP blocks are for our residential customers --- if you get email from them, it's probably a spam zombie, so you may wish to block such SMTP traffic if it becomes a bother.
I'm not proposing anything, just trying to piece together what the FTC is actually saying. Trust me, they're not so clueless; it's usually the papers, especially in these generic wire reports, that mess up the details.
The FTC is most certainly _not_ recommending that all port 25 traffic is blocked; they are not limiting anyone to their ISP's mail servers.How would the FTC people log in to their own FTC email from their homes? They'd have the same issues we'd have.
Anyway, since I *never* use my ISP mail server (mostly because Google is faster, has more storage, and is easier to access when I don't feel like carrying my laptop around; and because for professional stuff I tell people to contact me @honorscollege.cuny.edu (even though I SMTP back through Google).
Though less technical, I'm sure, most professional people require such a setup. Think things through. I see so many posts regarding outright and absolute SMTP / Port 25 blocking. That's too ridiculous to believe. Indeed, it's not even close to what the FTC actually says, as I cite above.
Read their site if you still have your doubts. Let it be said, however, that the government is not as stupid as some would like to believe.
Roadrunner, by contrast, doesn't do this. This is why I subscribe to their service now and dropped Mindspring.
Email I send goes over my LAN to my SMTP server, which then handles sending it out. 99% of the time I don't have a problem. When I do, it's usually for some shit like AOL or sending mail _to_ Earthlink or Mindspring, at which point they get a complaint email (whcih they of course ignore), and then a bunch of enraged calls from their customers (who don't understand the entire thing) saying that the ISP's email reception is broken (which it _is_). This wastes their time dealing with their enraged customers. If they don't like it, they can fix their fucking systems.
Of course, I could set a smart host to my ISP's mail server, which solves the problem, but grants me the problem I pointed out in the first paragraph.
If ISPs are going to block outgoing port 25 and effectively break the net that way, then they need to FIX THEIR FUCKING SMTP SERVERS FIRST. If they would do that, then I wouldn't give a rat's ass what the fuck they do aside from the principle of the thing.
All of this evades solving the real problem. The real solution is to filter spam using something like Spamassassin and, because that's a drain on resources, block the originating SMTP host automatically (and send an email to the technical contact) when X number of spams are received from the same IP address. When Y number of spams are received from an ISP, block that entire ISP. The IP mappings are available or, at least, could be made available. Then the ISP's resources are only tapped up to X (or Y) number of spams. This blocks zombies, but is a stopgap solution. The real solution lies with the originating ISP, which needs to map that back to an account and cut that account off. After that, the originating ISP which was used can send a bill back to the user and turn them into the FTC for violating anti-spam legislation. All this, of course, with forced banning of ISPs running zombies.
This, in turn, puts pressure on Micro$hit to fix their fucking operating system, and on users to keep their systems up to date.
Now the simplest solution? Wait for it, it's mind-numbingly simple. If you're going to block port 25, ALL ISPs should allow opening of port 25 with a no-questions-asked phone call with the understanding that if it's caught sending spam then, after a human review, the account will be cut off.
Hardcore geek here, with a UID that's far lower than yours.
You're allegedly a hardcore geek, but you're whining about the fact that people on consumer-grade internet connections are treated like consumers?
Really, if you want to get treated like the big swinging dick you apparently think you are, you should probably get a real internet connection. Go get yourself a T1 or a colocated server. Or both. Christ, I know people who get hundred-megabit pipes for their hobby projects; if you can't afford the few hundred bucks a month for a home T1, or the $70 bucks a month for a real ISP's DSL, then you should scrape together the $20 per month for a fractional colocated server and run your own mailserver.
Otherwise we may have to take away your ridiculously low UID and give it to somebody more deserving.
Both of these concepts have a potential flaw. Burden of Proof.
If someone is using my email address for fraudulent headers to make it appear that I am sending the spam, is that sufficient for them to shut me down? Do I have to prove that the email which I do not have a copy of, did indeed not come from me?
Based on how ISP's have behaved in the past, they would be more likely to arbitrarily shut someone down because their either triggered a spam filter erroniously (false positive) or got their email address put into the spam headers.
I do not agree that there should be a nominal fee applied to someone who is hosting their own mail server. On the contrary I should be getting refund on the basis of lower costs are realized against my account since I have zero email disk usage on their servers and have fewer help desk calls. The uber-geek types only need to call the ISP when the connection is down or blocked.