Slashdot Mirror
Catching Spam by Looking at Traffic, Not Content
AngryDad writes "HexView has proposed a method to deal with spam without scanning actual message bodies. The method is based solely on traffic analysis. They call it STP (Source Trust Prediction). A server, like a Real-time Spam Black list, collects SMTP session source and destination addresses from participating Mail Transfer Agents (MTAs) and applies statistics to identify spam-like traffic patterns. A credibility score is returned to the MTA, so it can throttle down or drop possibly unwanted traffic. While I find it questionable, the method might be useful when combined with traditional keyword analysis." What do you think? Is this snake oil, or is there something to this?
I realize most of us here would ordinarily prefer for our ISPs to just move bits around, but it seems like they are in a pretty good position to curb spam if they were to start look at traffic patterns like this. If some DSL customer suddenly starts opening hundreds of outgoing SMTP connections, that would be a pretty reliable sign that his machine is pwned. Just block or throttle port 25, and send the customer an email telling him to fix his computer, and keep it blocked until he does - or he contacts abuse@ with a legitimate explanation. Not filtering based on the contents of the data should let them maintain plausible deniability and common carrier status.
We can't do this on our personal or company internet connections because we only see individual messages coming from many different IPs, but on the other end of the connection, or even at the backbone level, this strikes me as a pretty solid solution. They could even just tag the packets with the evil bit and let us decide if we want to filter them or not.
I am going to say it anyway. Why can't people stop responding to spam in the first place? Is it too much to ask? If spammers made absolutely zero dollars for their efforts would they stop? Will underdog be able to escape from the burning rubble in time? Tune in next week to find out in our next exciting adventure!
My humor is probably your flamebait
As soon as you've found a way to get that message through effectively to 100% of the population, do let us know.
Where else would I get my Viagra from?
I think the question raises an interesting point: spams *behave* differently on the network than most legitimate emails. It may not be a perfect discriminator, but it sure might be a corroborative scoring aid. This reminded me of the controversy when Slashdot started using text compressibility as a metric for "lameness." I was a disbeliever, and still have my reservations about it, but as a part of the overall toolbox for filtering lameness, the technique seems to have value.
[
Spammers could reduce the trust in this system by reporting false traffic from legitimate servers, especially as long as the participation is still low. Instead of having to trust the source, you now have to trust intermediates. In order for this to work, intermediates would have to be selected carefully.
OpenBSD's greylisting in spamd works wonders.
Trolling is a art,
Mailing lists. How does it not tag a server that sends out mail to a list as a spammer?
Best Slashdot Co
I don't reply to Anonymous posts; if you have something to say to me, identify yourself or I won't reply.
People will stop buying from spam when they stop forwarding every hoax or urban legend they recieve through their company e-mail to everybody else on their address book.
When someone finds a way to do it, please ping me.
please put obligatory Standard Spam Form joke below here please
we've got to keep this place organized
Did you ever notice that *nix doesn't even cover Linux?
That's the problem. this world is full of stupid people. They might not make money off of most people the spam gets to, but if you cast a big enough net you're bound to catch something(including some dolphins). Millions of pennies still add up to thousands of dollars.
You constantly struggle for self improvement - and it shows.
Hooray for bad Engrish on fortune cookies
We could try mass mailing them. I've had some success with that in the past. =)
I believe that this is a very viable approach. I am currently doing research on intelligent intrusion detection systems (not based on traffic analysis), and while SPAM and IDS don't seem awfully related, both traditional traffic-based IDSs and STP utilize data traffic analysis methods to identify potential problems. That being said, I think that the traffic analysis should be used only in combination with existing spam control and heuristics; it's a complex and multi-faceted problem and thus requires several fronts to combat it.
OTOH, As part of a larger array of spam-fighting tools, okay - there's bits in there I actually like and which can be used as part of other solutions, if not used in the way suggested. As someone who runs a couple of MTA's on top of everything else I do around here, I always like to find new and interesting ways of stopping spam.
N.B., all that I ask is this: Please make it useful w/o sucking down resources or requisitioning another server. I detest external RBL's - please don't suggest anything that may have an overly-subjective and/or an overly-dependant basis like that. If it isn't RFC-compliant (yes, Verizon, I'm talking to YOU when I say that!), I won't go near it.
Satisfy those, and yes, I'm interested, as would lots of other SMTP-monkeys out here.
Quo usque tandem abutere, Nimbus, patientia nostra?
Your post advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Bayesian filters sometimes find weird words to do filtering on. Obviously there is 'Viagra' and 'Manhood' but there are also words like 'Republic' that have very high correlations with phishing spam- because any email that from the 'Democratic People's Republic of $Country' is likely to be as bogus as the countries name. If a country needs to add 'Democratic' or 'Republic' to its name, you know something's wrong.
/-\|\||) |_33+ |5 |_/-\|V|3.
In a similar way, any easily compressed text (like boing
boing
boing
boing
boing
boing
) is most likely someone hitting cut and past over and over again. AND I THINK WE CAN AGREE THAT TALKING IN ALL CAPS
You are reading a copy of my copyrighted post.
SIR,
OUR TECHNOLOGY DEPARTMENT HAS COME UP WITH A GREAT OPPUTUNITY TO STOP ALL YOUR SPAM. THIS TECHNOLOGY IS CALLED source Trust Prediction (STP). IT WORKS BASED ON identifying patterns and trends in real time AND IN THIS WAY PREVENT SPAM. HOWEVER TO MAKE PROFIT FROM THIS NEW TECHNOLOGYY WE NEED TO DO A PATENT APPLICATION. YOUR NAME CAME FORWARD AS AN EXCELLENT INVESTOR FOR THIS. WITH THE CURRENT RISE OF SPAM THIS TECH WILL BE REQUIRED QUICKLY BY A LOT OF PEOPLE.
I am only contacting you as a foreigner, I will use my influence to
effect legal approvals and onward transfer into your account At the
conclusion of this business, you will be given 50% of the total
PROFITS, 50% will be for me and my family AFTER DEDUCTION OF THE PATENT COSTS
. I await to hear from you.
Yours truly,
Mr.Barry Leoard.
FNB OF SOUTH AFRICA
THIS
IS MY PRIVATE EMAIL ADDRESS, YOU CAN SEND YOUR REPLY HERE:-
barryleonard@walla.com
3 years ago, I was working developing some software for sale to the feds and commercial world. For the commercial world, I proposed the same idea. The only way to stop spam is have cooperating servers. More importantly, they need to have a lot of servers where fake addresses can be sent to. Load these into outlook and let the spammers harvest them. Now, you have a decent service that can be offered for free or sold.
I prefer the "u" in honour as it seems to be missing these days.
I was going to say... What would happen if we all started replying with the same auto generated mails? How would the spammers tell the difference from legit spam replies?
Damn, got beat to it. Sorry for the redundant spammy post!
ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
As soon as you've found a way to get that message through effectively to 100% of the population, do let us know.
Send out a spam saying you can enlarge the recipient's penis. When the link is clicked, it should go to a website that plays audio screaming at the person for being an idiot. A big flashing red message would be good too. Not everyone will get the message, but everyone that needs it will.
I guess it makes sense to throttle the connection: it will do no harm to legitimate email (I mean, it's not like it would really matter if the delivery takes 10 seconds or 50 seconds), but would seriously hamper the sending of millions of messages. That way, it wouldn't really matter if it gets some false positives, unlike with methods where the message is removed if it's deemed spam.
What about legitimate mass marketers. The company I work for contracts with advertisers to send out bulk mailings to our opted-in users. Now, we don't spit out emails by the millions, but we certainly do send out large chunks of emails from a common source. Is this kind of thing going to interfere with legitimate mailings to opted-in customers?
GetOuttaMySpace - The Anti-Social Network
... and its not disimilar from greylisting from what I can tell, but I don't think its going to be
effective in the long term. Getting around this type of filter (or delay) seems relatively simple
compared to the task of defeating the bayesian filters over the past couple years.
The lynchpin of greylisting is that legitimate mail will "try again" after being returned by the
server, while spam will not. The conclusion (which we hope is true) is that any mail that is
not re-sent was in fact spam. Never mind the danger that the assumption could be false and
legitimate mail gets lost -- how long will it be before spammers simply "re try" their spam --
or worse -- just send everything twice?
As with any attempt to modify behavior electronically -- behavior usually wins.
------ The best brain training is now totally free : )
The SMTP protocol is showing all its age and weakness. It has not been designed to cope with today's use.
First of all it lacks authentication and authorisation mechanisms. The various anti-spam, white/black/grey listing look more like workarounds than solution.
Then you'd like to really know whether your message has been delivered or not and other nice details about the messages.
My personal feeling is that it's time now for a new messaging protocol.
SMTP is dead, long life to SMTP!
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
FTA: "root cause of the problem: Internet messaging allows anyone to send as many messages as s/he wants."
Ahhh... another controlfreak who lost my interest after his first 1-2 sentences.
This isn't a new concept. Our mail gateways already participate in something like this with IronPort's SenderBase reputation filtering. 90%+ of our incoming mail traffic is dropped based on poor reputations scores without looking at anything more than the sender's address. So far, we've never had a false-positive that we know of, and only once, after many customers were made a part of a bot-net and started spamming, did SenderBase throttle traffic to one of the local ISP's. A quick call to their mail admins pointing out the problem and they were able to block those customers from sending mail until they were cleaned up and the reputation score climbed back up again.
It has really taken the load off our mail servers by blocking millions of connections. The rest, we run through SpamAssassin and everything works great!"terrorism" and "pedophilia" are the root passwords to the Constitution
Are any of you people still living with spam? Do we really need another solution? I've found that a personally managed baysean filter is plenty good enough. I'm down from 700+ per day to 2-3 per day. I still dislike the fact that spam is out there, but I haven't actually had to deal with it in years. Has this not worked for other people? I mean, I do have to continue to feed the filter, but it's very little work. Nothing wrong with new ideas in the battle, but I thought that for anyone who cared it was already won.
Cheers.
Complaining that people are frequently bad decision makers is usually not worthwhile. Much better to recognize the truth that they are, and then work to try and take the decisions out of their hands.
Its similar to a pretty interesting conceptual innovation in medicine, when people realized that even excellent doctors will at some point make grossly negligent mistakes simply due to the shear amount of work they do (i.e. operating on people with paralytics but not analgesics). So the innovation is to make them make fewer decisions - machines that check settings before running, labels that a four year old could understand, arrows and other reminders liberally applied.
So similarly here, yes it's annoying that people continue to "fund" spammers, but education is not the answer. Because, unfortunately, the spammer's target market of "everyone in the world" will always contain enough people to make their trade profitable if all we rely on is good decision making on the parts of spam recipients. So the solution has to be technical or legal. And in that regard, another small step for man here.
Relax I just want some peanuts.
Keep the port open for business commercial clients using T-1 or bigger (or who can at least demonstrate that they have an IT department), and (please!) allow it to be opened upon request by the customer w/o extra charge if he/she can demonstrably articulate on the phone that "yes, I'm setting up my own MTA here for (testing stuff / personal use / etc)".
'course, an ISP requiring clients to use IMAP w/ SSL would really rock, but I'm just dreaming by now...
Quo usque tandem abutere, Nimbus, patientia nostra?
Your post advocates a
(X) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
(X) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(X) Blacklists suck
( ) Whitelists suck
(X) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(X) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
yes, traffic shaping is effective in determining the nature of connections
I work for a small email company we process millions of emails an hour inbound, but only a few million a day outbound.
Our most effective filters are:
connect/HELO restrictions: you can only get email into the environment if your IP address resolves to a FQDN.
HELO restrictions: if you connect using X different HELO strings, you are blacklisted. Spambots often randomize the helos, this blocks those.
Spamassassin at the client side, filtering email into various folders based on the score.
antivirus server that filters the few viruses that make it in, and phishing is filtered too.
The problem? All this doesn't catch enough of the spam. We still have loads of CPU dedicated to filtering spam, but something like this technique at the border will help, and I'll predict (based on experience watching the traffic and spam filtering graphs) that we could cut spam another 30% just by watching the curves and tightening the restrictions during those peaks.
ISP traffic analysis blocking spam = good
ISP traffic analysis blocking torrents = bad
Thx in advance,
Quo usque tandem abutere, Nimbus, patientia nostra?
I have been doing this or something very similar, for 2 years now. It works. I use a special Linux Bridge, kernel ip traffic linked to a Postgresql DB for statistical analysis and scalability. As I have said many times, you have to control Spam by parameters the Spammer can not control. And not by parameters which are in his/her control, like text, pictures...
And don't worry, it's not spam because... (Pick one or many)
One line blog. I hear that they're called Twitters now.
I'm not sure I care. Those "legitimate" "opt-in" lists tend to get reported by users as spam eventually anyway. Meaning even if they did originally 'opt in,' it's basically nothing but a nuisance eventually. (Usually people opt in, allegedly or actually, and then can't figure out how to opt out, or don't want to spend the effort to do so.) The effect is the same as spam, even if the intent isn't.
I would consider the elimination of commercial mass email a very small price to pay for the elimination of spam. In fact, I'd consider it a bonus.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Even if no one ever responds, it won't stop as long as the people paying to have it sent think it works. It's like burning candles to St. Balderdash for scam marketing morons. As long as there is a steady supply of rubes who think that sending spam is their road to riches, and are willing to pay some brighter but no more honest spam lord to send their dreck to a bazillion hapless victims for them, spam will contine to flow.
This is true even if no one ever responds to, falls for, or even opens a spam message ever again.
--MarkusQ
My (previous) ISP did this several years ago. I found out when I was making a computer for a friend. At the time (this was a few years ago) I didn't yet know just how quickly an unprotected windows-box is owned by viruses. I thought I'd be okay for the time it takes to download a firewall. 20 seconds later I got a popup that I recognized as an infection, so I shut down the machine, and tried to get the firewall / AV-software with my other machine instead - only to be greeted by a screen where my ISP informs me that "By the look of your outgoing traffic, it would seem that your machine has been turned into a spam-bot by a virus, and your account will be automatically unblocked 1 hour after the suspicious traffic stops." This was followed by some generic instructions for virus removal.
What would happen if we all started replying with the same auto generated mails?
The time it takes me to deal with the 2000+ spams I get each day would increase unmanageably?
It's official. Most of you are morons.
This wouldn't really work against botnets, would it? Because of the fact that they are distributed, you wouldn't really have a source trust issue... Not one that would trip any warning flags, anyway.
I can see it though, be a handy tool to aid against regular spammers, perhaps in analysing traffic to assist in maintaining SBLs...
Magic doesn't work in my presence. My power of disbelief is too strong.
The money in spam isn't from people buying stuff - it is from the silly advertiser thinking they can send their ads to millions of people for $1000. They do this and get a report back that says only 0.8% of the people opened the email.
The spam-sending organization then shows them that they need to revise their message with a better subject line so more people opened the email. Another $1000 and more spam is sent, this time 0.7% of the people open the email.
Continue this until the advertiser runs out of money. If you have enough contracts for sending spam it matters not a whit if anyone buys the stuff at all. It is only important that people pay for it to be sent.
I was going to say... What would happen if we all started replying with the same auto generated mails? How would the spammers tell the difference from legit spam replies?
:)
That too has been implemented. Its an invited DDOS attack on the spammer. I love it
Regarding the article, this is no big deal. Blacklists, whitelists, and greylists already exist. There is no additional market value with those techniques to eliminate spam.
Why can't people stop responding to spam in the first place?
Get back to us when you convince enough newbs to do that. The reason spam persists is because there are enough idiots to make spamming pay off, even if nearly everyone ignores it.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
No one cares if anyone responds to spam or not. Spammers are the lowest of the low on the food chain. What people who peddle immorality want is a steady stream of junk mail coming into your inbox hour after hour, day after day, and year after year. Eventually, it's going to weaken you - being exposed to all the viagra, penny stock, erase your credit without paying, etc etc etc - pretty soon you'll think this stuff is normal, and when you have to make a moral decision someplace else (someplace more profitable, I might add) this has to play some role in weakening you to think this stuff is normal. You'll be more likely to make a bad moral decision, and they'll profit from it. So the vast web of affiliate programs, spammers, botnets, etc is a low-cost investment for the real sleaze merchants and criminals. You can entice someone else to spam as an affiliate. They hire a botnet. Etc. The real people who profit from spam don't touch it, as is usual for this sort of thing.
And this applies to botnets... how, exactly? If you can infect just a million computers with your spam bot, then you can send a million messages an hour by sending *one* message an hour per host! With a billion plus hosts on the net, you need to infect less than 0.1% of them to make that happen. The number of vulnerable computers at any given moment in time is easily more than 20%.
But hey, for every complex problem...
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
Sure, it'd be pretty tedious to do that by hand, but if we automated the process somehow...
Oh, wait.
I imagine that if you ran a script by yourself, your e-mail address would be targeted as belonging to a valid sucker, and passed around on lists, so you'd be spammed even more. The efforts of a scrappy community of geeks are no match for the millions of pwned PCs around the world.
Oh how I wish I hadn't spent my mod points yesterday. Please mod parent up for a very insightful comment.
Easy, first you start a nuclear war...
...Then once all the humans are dead, there will be no more spam problem. Except for the kind in cans. Those will last forever.
'Sensible' is a curse word.
I know of a way, but it is distasteful to too many people.
Death
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Everyone should prioritize their incoming email by who in their address book sent it, or it's unsolicited, probably commercial, email, "UCE", aka SPAM.
--
make install -not war
Democratic Republic of the Congo- Welcome to the land of warlords, genocide, and more genocide.
Central African Republic- Less than half the genocide of its neighbor in the congo.
Dominican and Czech Republics, and Macedonia- actual democracies.
So two of your five examples help prove my point- and when you start stacking adjectives together- like 'People's Democratic Republic of Korea' you know you've got one of the worst places to live on Earth.
Also, why on earth would you get an 'official government email' from someone in these countries? That's less likely than you being a Viagra dealer and have Viagra mentioned correctly in your email. That's also why different people will have different spam filters for their mail- if I worked with the Republic of Ireland or was a professor of Greek history I would probably see the word 'Republic' in legitimate email.
You are reading a copy of my copyrighted post.
I use a popular, public email service. My emails have been identified as spam at times. The reality is the everyone from the service uses the same IP email address. All it takes is one person from that service to send spam and all those using the service get flag...so volume along isn't a good indicator.
Why can't people stop responding to spam in the first place? [...] If spammers made absolutely zero dollars for their efforts would they stop?
First off, if people stopped responding to spam, it wouldn't have any effect on phishing spam, since phishing is based on tricking the user into thinking it's legitimate mail rather than spam. Also, once you have control over an army of zombies, the incremental cost of sending one spam is zero. Even if the spammer thinks he's unlikely to make any money at all by sending out spam, he's already set up to do it, so why not? If even one person in ten million clicks on a spam accidentally because his cat walked across his desk, that makes it worth it to the spammer to have sent out the other 9,999,999 spams. Look at all the bayes-poisoning spams we get, with no link to click on; the spammers know they aren't going to profit from those, but they send them anyway, because it's free. And finally, there are a lot of other things you can do with a network of zombies. For instance, you can carry out extortion schemes by threatening DDOS attacks. The basic problems are (1) poor security of Windows, and (2) the fact that the e-mail protocols were designed before the internet existed, in an era when you knew everybody who was on your network.
Find free books.
Unfortunatly all this actualy does is reduce costs for anti spam companys as they do not have to keep up with the growing levels of spam while consumers keep paying more for their service each year. I have seen this method in action and what it means is people who pay for an anti spam solution are sometimes getting legitimate emails days later then they should. This is due to the mails not actualy being scanned for content just being put on the slow path because of the antispam providers unwillingness to invest in a system which can cope with actualy scanning the content. These test have their place but I have seen them missused at many antispam providers and IMO it's not acceptable.
We made everyone who had a mailing list which contacts more than 100 people "register" with their ISP. They don't have to disclose the recipients or the nature of the list, simply a "I will be sending out a mailing list to x amount of users everyday in addition to my personal usage. Any customer who spits out more than some reasonable number of e-mails (who knows, maybe 200 per day is sufficient for most home users even on the upper ends of e-mail usage) will find their ability to use the outbound server restricted until they contact the ISP. Spammers send massive amounts of e-mails. It would be easy to find a cut off number that would help distinguish between the home user and the user who's computer has been compromised. This probably wouldn't even be that hard of a solution for an ISP to implement and could be mostly automatic except for the entering of exceptions into the database. Spam is really in the hands of the ISPs and their unwillingness to hold their customers accountable. Were I an ISP, I'd keep an eye for any evidence that any of my customers computers had been turned into a bot and require they fix the problem before they were allowed to use the services again. Sure they might go elsewhere, but if every ISP implemented the policy it would make the internet a vastly better place.
Or we could make doing business with a spammer a felony, with a minimum sentence of 15000 hours of community service working for spam-fighting organizations.
Cut that out, or I will ship you to Norilsk in a box.
Anyone ever looked at it? The concept is so simple its amazing. I am not the most technical person, but here is my impression of how it works/ A message comes in from a server that is not on any of the black/grey/white lists. The message gets bounced back saying try again later and the mail server gets grey listed. If the server retries again later (within the allotted time), it gets whitelisted. Spammers never try twice. I went from well over 200 spam per day to ~3 last year. Yup only 3. It is not cpu intensive, the mail is not analyzed or modified in any way, it just plain works. Try it, love it, tell others.
The kind of analysis HexView suggests seems to promise a drastic bottleneck in email delivery as their servers check source IP addresses, etc. Awesome. I love the possibility of MY email grinding to a halt in an attempt to cause spammers delays in packets delivery. Sounds like greylisting under a euphamized name, like how time-shares are now called "fractional ownership."
Is to have the ISP charge for email usage in the same way as you get charged for your cell phone usage.
Undetectable Steganography? Yep, there's an app fo
BTW this system won't work because the author's assumptions are wrong. Botnet senders can easily afford all the following suggested countermeasures. I expect they'll carry on as normal. Then, if blocklisted, switch over to DDOSing the the STP servers until the blocklisting is removed again.
Reduce, reuse, cycle
1. Company offering product or service hires spammer 2. Spammer creates botnet by installing spyware in unsecured computers 3. Botnet sends spam Pretty much any solution so far involves stopping step 3, the delivery when the real problem relies in step 1, we need to find ways to stop step 1 from happening. Lets make hiring spammers a criminal offence, the same way "murder for hire" is. You can catch them by just having undercover officers order the product/service. I say let's make hiring spammer to advertise a product or service a Criminal Offense punishable by jail. It will stop U.S. companies from hiring spammers. Then we put pressure in foreign governments to pass similar laws.
HTML is obsolete. It's time for a new, simpler and richer markup language.
Commtouch does this already:l ogy.asp
http://www.commtouch.com/Site/Enterprise/e_techno
few false positives, >97% catch rate, 0.3s per message scan (on my system from live data, not marketing specs).
have you been defaced today?
Except that, maybe, once the spammer constantly sees bogus (usless) email coming from your "legit" email account, it's in their best interest to stop sending you spam...just to reduce the noise at their end. I guess they could black-list your email address, but then they'd still be getting tones of junk mail to filter...serves them right!
Give a hand, not a hand-out.
For everyone screaming that this isn't feasible, will kill mailing lists, and other wise render effective communication via SMTP impossible you might want to consider that about a quarter of global email volume is already flowing through a system very much like what the OP describes.
s ed_control.pdf
Ironport (recently purchased by Cisco for $830 million US) has been doing this kind of service for large providers for several years.
Their statistics site is publicly viewable, but using their stats requires a subscription fee.
http://www.senderbase.org/
Its interesting to look at how well or poorly the MTA's you use are scored. All of the stats are gathered by the systems they sell to ISP's and enterprise customers. These boxes perform the spam filtering for that organization's customers and provide statistical data back to senderbase.org, which allows all Ironport customers to "know" about problems for all other Ironport customers.
The link to their PDF on their metric's is here:
http://ironport.com/pdf/ironport_wp_reputation_ba
We evaluated their system last year as a possible replacement for a third party spam/virus scanning provider and may end up purchasing their equipment once everything with the Cisco purchase shakes out. Their solution, while not perfect, behaves far better than some of the things that large service providers *coughAOLcough* have tried and are (or were when we tested) comparable to most of the content based scanning systems in terms of spam filtering with a lower rate of false positives.
Really, if people start hunting for spammers and breaking limbs the spam would stop almost over night. Maybe countries should offer spammer as well as terrorist hunting permits... ;-)
Looking at Wikipeida we find that out of the 14 freest places to live, 'Republic' is part of the title on 4 of them. Looking at the 8 worst places to live, 'Republic', 'Democratic', and 'People's' are part of the title of 6 of them, and they appear a total of 10 times in the name of 8 countries. So it seems that my point has some factual backing, and there's a strong correlation between having 'Republic', 'Democratic', and 'People's' in a countries name and it being none of the above.
You are reading a copy of my copyrighted post.
Won't work. It just means the owners of zombie PCs get big bills.
CipherTrust has had a setup like this for quite sometime.... its called TrustedSource.
Here's what I've never gotten. By definition, spam is unsolicited mass e-mail. So ditch SMTP, and replace it with a protocol that has the following characteristics:
Currently, any computer can send out as many SMTP messages as it wants and claim that they originate from wherever it wants. This protocol would mean transparency: gateways would have to be trusted and so you couldn't fake the recipient. There would be basically no change on the front end; only the hosts would have to adjust. And there would be no way to send unsolicited mass e-mails.
Of course, this isn't a cure-all. It wouldn't prevent viruses from sending spam to all their host's contacts, or prevent someone from setting up many accounts via proxies to do nothing but spam at a very low rate. But it would leave a more solid information trail than we currently have, and e-mail viruses would be halted within days at worst. Best of all, due to the centralization, improvements to the protocol could easily be made. In short, as far as I can see, it would be a win-win for the Internet, even if it would require some minor sacrifices.
MediaWiki developer, Total War Center sysadmin
IP Reputation filters are not a new idea by any stretch of the imagination.
CipherTrust TrustedSource
Generally there's nothing to 'reply to' - To order the viagra you've got to go to a web site, or fax in an order - and all the latest 'pump and dump' stock-selling emails don't sell anything at all. They buy some stock, spam out their messages, then dump the stock when the price goes up. Often the company in question knows nothing about it.
Your post advocates a
(X) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(X) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
----
In addition, contacting a central STP source for every email would be expensive both computationally and in terms of bandwidth. The STP system would become a huge bottleneck.
I just don't see how politicians, "asshats," blacklists, talking about viagra, sabotage of public networks, email not being free, or killing people has anything to do with the proposal. Did you just random check boxes on yours?
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Why not add some of the results form the spam filtering software in the results...something that would have to be done anyways and is also helpful. This means not only would the traffic analysis be done but it can also be placed against spam scores making the blocking more comprehensive and at the same same time avoid the mailing list problem.
Prior to the twentieth century there was not advertising in the modern sense. When radio was invented there were people (like investors) who asked "why would anyone want to send a message to no one in particular?" It was a major discovery that advertising actually worked. This discovery happened because early advertising was simply announcements (such as in a newspaper to announce that a new business came into existance) and merchants found that their sales increased when they increased the amount and frequency of their announcements.
I think it would be interesting to know what the implications would be if human brains were wired in such a way that advertising didn't work.
Perhaps if we genetically engineered our children to have their brains wired so that they were immune to advertising, spam would go away eventually when there were no longer people in existance for whom it would be effective. However, this is unlikely to happen because even if we could engineer people to be immune from advertising, it would be hard to stop everyone from procreating naturally and it would take a long time for everyone else to die off.
We might also find that there were other effects of the human mind being altered in this manner.
It would probably be easier to develop a drug that would prevent spam from bothering you. (Probably if spam bothers you a lot, then becoming a heroin addict might give you bigger problems and then you wouldn't care about spam anymore - you'd be too busy trying to acquire more heroin and throwing up and stuff.)
Or we could quit using email.
One idea that I had was to create a new email protocol that doesn't have compatibility with existing email systems. Basically redesign email from the ground up. Such a new system might require that all emails me digitally signed with valid certificates that could be authenticated, etc. I put a lot of thought into it. After thinking about it carefully for a long time, I have come to a realization that such a system could not work unless the problem of zombie PCs can be solved.
As long as people are allowed to send email to anyone they want from their personal computers AND there are zombie PCs, then there will be spam. I don't think there is any way around that.
Avoid Missing Ball for High Score
The most effective way to do it is to give the spammer a legitimate-looking but fake response. By response, I don't mean email.
For example, if you get a phishing email for bank XYZ which directs you to a page asking for your name, SSN, account #, credit card #, phone #, etc. type in some junk and hit submit. Then you are GUARANTEED that the spammer will get your junk.
It would be GREAT if there was an easy way to trap the spammer with this information, instead of telling the authorities about it (who are VERY slow in my experience and obviously not very effective). For example, call your credit card company & report a card as stolen, and enter that # on the phishing form (I'm not condoning this!). Or, enter bogus contact info and enter some government agency or the bank's REAL phone number, maybe they will call it, etc.
Sort of like virtual card #'s that the big issues use now... you generate an identity ONLY to be used to trap these losers, and when they attempt to use it, they get caught. There are a lot of missing pieces to my cunning plan, but you get the idea.
It's nice that your baysean filters are working just fine. If you think that can't be changed in about an hour and a half, then give me your email address. I'll post it to a few web pages and you'll be back to hundreds of unfilterable emails a day. I guarantee results. What rock are you living under?
If you mod me down, I shall become more powerful than you could possibly imagine.
There is definitely something to this. At the ISP where I work, they have an excellent spam filtration system set up and it's very similar to what is being proposed. Our first line of defense here is a bit lower level though. As soon as a remote MTA makes a SYN connection to us, that ip is checked against the blacklist and if there's a match, the packet is simply dropped. This alone drops millions per hour.
If the message passes to the next step, it's given a quick envelope check and also makes an ldap check for the recipient. If it passes that, it's handed on again where a body check is done. This portion is done largely by a third party vendor's servers located here on site and takes care of checking for virii, as well as content checks and bayesian filtering. (Though our relationship with this vendor is pretty tight, my boss has actually written some code for them.) If it passes all of this, it's finally handed off to our MTA which does one more ldap check before passing it on to the LDA.
Overall, it does a great job of paring down the tens of millions of inbound delivery attempts to just a few hundred thousand actually delivered messages per day.
The same servers handle our customer outbound mail traffic and they do keep track of usage in an sql database for trend analysis. Any customers that exceed our delivery thresholds are automatically added to the blacklist and blocked during the syn packet check. It literally takes just a few minutes for an infected customer to be noticed and automatically blocked.
It works very well for us and mail servers that used to be under crushing load trying to handle all the spam traffic now perform very well and barely even break a sweat.
"I can be self-referential if I want to," said Tom, swiftly.
Get rid of HTML emails.. Spam isn't as cool when it doesn't have a bunch of fake links, pretty pictures, etc. You think the internet would cease to exist if we went back to text only?
Send a URL in your text-only email if you want to check the email out in HTML...
Just a thought
You sir, have no idea what you're talking about. They get paid by the sale for products, by the lead for mortgages, or a percantage for stocks. Go to bulkerforum.biz and look around.
Before you mod me funny, think, perhaps I was insightfully funny?
Secure Computing invented this Technicque!!TrustedSource gathers data on the behavior of senders across the Internet. In addition to the traditional techniques such as global email traffic patterns and volume, network characteristics and public blacklists and whitelists, TrustedSource is unique in that it includes timely, precise data from Secure Computings's extensive customer network.
> For example, call your credit card company & report a card as stolen, and enter that # on the phishing form (I'm not condoning this!)
I should hope not, since it's extremely illegal, to say nothing of the hassle you'd put yourself through.
It would be nice to be able to generate virtual card numbers for the express purpose of catching a phish. Thing is, someone's going to do it to a legitimate merchant, the merchant doesn't get paid, the merchant gets pissed, and those are the real customers of the CC companies.
Done with slashdot, done with nerds, getting a life.
See the form above. Your "solution" falls into the "everyone needs to adopt it all at once" category. Not to mention that it solves absolutely nothing.
First of all, SMTP does not lack authentication or authorization methods. SMTP+SASL allows for authentication via login. You can also authenticate via SSL certificates. Once identity has been established by one of these methods, authorization is trivial. You can restrict relaying access based on IP. Most spam gets sent through open relays and pwned boxen, so the protocol isn't the issue: the open relays and pwned boxen are.
I think you misunderstand the concept of "delivery" here. Just like the mailman doesn't drop by your house to make sure you read your mail, delivery simply means that the recipient mail server dropped a copy of the e-mail in the location that corresponds to the address you sent it to. Whether the server is correctly configured to then make the e-mail available to the actual person who's supposed to read it, or any other reason that could cause the person to not read your mail is beyond the scope of a mail server. Most mail clients allow you to request a read certificate anyway. I'm not sure what other "nice details" you'd like to see, but "250 - Message accepted for delivery" and "550 - User not found" are useful details from my point of view.
I'm not trying to discourage you from implementing this new messaging protocol. When you're ready for primetime, write an RFC describing how it works and convince some other people to implement your idea. Also, make sure you lobby for legislation requiring everyone to use the new protocol, since that's the only hope in hell you have for widespread adoption. Good luck!
"Please describe the scientific nature of the 'whammy'" - Agent Scully
by looking at the mail headers.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Right, its not possible/legal today which is the main problem...
The fake card # would be flagged somehow, since the point is that the phisher WANTS to use the card at a legitimate merchant (otherwise its worthless). Attempting to process the card would alert the merchant to not fulfill the transaction (no money lost) but they could tell the phisher the order was successful or that item is out of stock or make up some other excuse, and by the time the phisher knows what hit him, the cops show up at his door.
If they can be stopped before they've spent a few grand of some old lady's money on motorcycles (using phished legitimate card #s), then both CC companies AND merchants will be very happy about this.
Exactly - you are only the second person I have encountered that knows how the spam industry really works!
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Many banks allow you to generate one-use credit card numbers with a spending limit. You could, potentially, create one of these with a 1 limit. Then, as soon as it was used, the bank would be able to contact the merchant, inform them that a customer had attempted to use a stolen card, and request that they supply all relevant data to local law enforcement.
I am TheRaven on Soylent News
Do they get paid at all? All of the spam I have received recently has been criminal in nature; some stock scams, some phishing, some selling pirated software (why would anyone buy pirated software? If you are going to pirate, surely you would get it for free...)
I am TheRaven on Soylent News
My email address is already available online right now in several locations. You can find it in less than a minute, if you want. It has been available online since 1998. In fact I have multiple addresses listed on multiple public sites right now, all forwarding to my inbox. I've never put any effort into protecting it, I give to all sites that I sign up to. If you want to put extra special effort into attacking my inbox, well, I don't know if it would survive... go ahead if you want, but that's not really the point. The point is that my email has been and continues to be publicly available, so I'm not hiding from spam, yet my inbox is under control. So spam is not a problem for me.
Actually, I just checked and in the past 2 days I've received over 4300 spam messages and only 1 got through. The 700+ figure was based on the last time I bothered to check.
Baysean works different for different people. Maybe if it didn't work for you it's because the emails you want are not as different from spam as mine are? More likely is that you didn't train it properly or have the thresholds set right. Beyond that, I don't know what to tell you.
Cheers.
I have a question along similar lines.
What motivation do spammers have for designing spam that gets around the filters? If I implemented a filter to get rid of viagra ads, what is the likelihood that I will buy it? Sure. Maybe the 'enter your bank password here' scams need to get around the filters. But if I haven't responded to the first thousand viagra ads, you really aren't gaining anything by sending me more.
Heck. Spam MIGHT be tolerable if like snail mail ads, they're done tastefully, done well and in moderation.
Take home message.
I really wish they wouldn't compromise my filters... Thunderbird lets in half of the spam these days because they're all images over top a page from a novel. My sysadmin doesn't have time to implement server side filtering. I'm just swimming in spam.
Help!
Whoops -- I confused my work email with my personal email there for a sec and mixed up the info. The correct stats are:
4300 spam at work in about 45 days, 2 spam got through.
900 spam at home in about 2 days, 1 spam got through.
It varies, of course, so sorry if my previous numbers were a) wrong or b) outdated. Still, I think my original point stands.
Cheers.
Rule #1: Spammers lie.
The person actually sending you spam very often doesn't care whether you buy the product being advertised or not. They've sold their spamming services to a paying client, after convincing the client that their "opt-in e-mail marketing campaign" will be effective. If nobody buys anything, the client doesn't make a dime, but the spammer has already been paid, and moves on to the next victim. If people do fall for it, the client may be interested in repeat business, but that's not necessary.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
You can't just hit the "reply" button; spammers spoof the return address on their spam to make it look like it came from some random address on their list. As others have mentioned, it's called a "joe-job". If you reply to the spam you get, you'll be sending your replies to just another one of the spammer's innocent victims.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
No, your original point does not stand, it was only ever wobbly at best. The minor differences in your stats really don't bear on the point at hand, which is that although you have managed to massage your filters to an impressive degree, the experience of others indicates that baysean filters are no longer as effective as they need to be. The approach is (a) too labor intensive, (b) error prone (valid emails get eaten) and (c) failing for many people. It's really nice that it hasn't bitten you yet, but really, I didn't think there was anybody left on the planet who didn't realize that spam is a growing problem because the spammers have learned some clever ways to get around clever filtering. You should be studied by science. There is probably some area of your brain that will light up when you think about this problem that will someday be called the Missouri Lobe.
If you mod me down, I shall become more powerful than you could possibly imagine.
http://www.networkworld.com/reviews/2005/041105sym antectest.html
www.networkworld.com - Symantec's new Mail Security 8100 Series appliance offers a twist on spam management. It limits the amount of network bandwidth spam can consume. In our exclusive Clear Choice test of the Mail Security 8160, we found that when the bits start flying it manages the load on corporate mail servers quite well, providing a good first line of defense in reducing the amount of spam that enters the network
I hate spam. I still get mountains of it, because I haven't sent a separate snail mail to a separate address to every jerk on earth who wants to spam me. You wouldn't have to worry about any traffic-based filters if the messages only went out to real opt-in users.
Your post advocates a
(x) technical (x) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(x) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(x) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Keyword analysis and Bayesian methods that depend on it, are useless. Most spammers are switching to image spam where they embed pictures of text instead of actual text.
You are correct, in principle. As soon as the supply of stupid people dries up, it would slow to a trickle. But how long will that take?
If you want to get an idea of how much spam would get sent even in that trickle, grab a copy of every daily paper on the planet and count up all the prayers to St. Jude and so forth in the classifieds. Multiply that number by the number of addresses in a typical spam list and that should give you a rough estimate of the amount of spam that would still be getting sent each day even if it didn't work.
My back of the envelope estimate puts it at around 1,000,000,000,000 individual pieces of spam a day, put I'll admit I only looked at a few papers and extrapolated. Another way of looking at it: if only one person in a million is dumb enough to send a piece of spam each day even knowing it would not work, and they send it to a million people, there would be 6,500,000,000 pieces sent every day.
And 0.00001% of the population may be a low-ball estimate of how many dumb people there are. I suspect the actual number is somewhat higher.
--MarkusQ
Other than a possible cultural misunderstanding of the phrase "the peanut gallery", I have no idea what prompted such an abuse of moderation. I fully expected to find this at +3 or higher when I woke up this morning, with some combination of funny and insightful.
When I came back to see -1 troll, I closed Slashdot for a while but then I got angry and decided to post. This type of moderation abuse is why people stop coming to Slashdot. If you don't think it's that funny, just leave it alone. There is no troll in the above message. Read it again if you still think so. If that fails, read it again.
Background: I have 2 accounts: my own domain (primary) and my isp account.
I'd like to set up the followng for my own domain: I maintain a whitelist, any email from someone on the list goes right through. Everything else is bounced with a message explaining about the whitelist and asking them to email me on my isp account -- or contact me some other way -- to have me add them to my whitelist.
Unless I'm missing something, this will eliminate 100% of spam from my primary account. It shouldn't affect spam to my isp account, because that address is already on the web. All in all, this seems like a very simple and extremely effective solution.
The downside is that it will make it a little harder for people who aren't already on my whitelist to contact me. I'm trying to think how many times I received a message I care at all about from someone who isn't already in my address book, and I'm not sure it has happened in at least a year. Most such people -- for example, someone who reads a post of mine on a forum -- already contact me through my isp address.
If there's a downside I'm not seeing (aside from "Whitelists suck" :-), I'd like to hear about it.
Mostly I'd like to know if there's a domain host who can make this happen. My current provider (domain direct) already has a whitelist option, but not a user-configurable autoreply to non-whitelist messages, which is important to my comfort with this plan. If anyone knows a domain host who can do this, I'd appreciate posting it, or email me at pjmccabe@adelphia.net.
Alternately, is this something I can set up reasonably easily on my Mac running OS X 10.4? I know mail has filtering and autoreply features, and I was a programmer about 20 years ago, so a roll-your-own solution is not out of the question. But I'd rather my ISP do it.
> STP server correlates this information with the data received from other MTAs
> and replies with a number that reflects how likely the sender is a junk mail source.
How exactly is this done? What differentiates spammers from legitimate senders?
And how is this idea any better than reputation databases which assess the long term
sending history of particular mail servers (and domains, where domain authentication
is provided)?
These days the vast majority of spam is sent from botnets. Botnets by definition
fly under the radar -- the only thing you know about them is that you know nothing about
them until it's too late.
Correlating traffic patterns is an interesting idea, but the author doesn't flesh it out.
What specific correlations would you make? Give us the details!
It seems to me that there's no reason that a spam mailer couldn't operate with a traffic pattern virtually indistinguishable from a non-spam mailing list. To the extent they don't *already* do that it's probably just because they haven't had to. If such analysis becomes routine at ISPs, that will simply motivate the spammers to tune their engines behavior a bit, and the "fix" will be rendered useless in no time...
100% of the trouble on the Internet is caused by Windows computers. PERIOD! Boot the stupid bastards off our (Unix&Mac:OUR!!!) Internet and don't let them back on until they can run something that doesn't get ass-raped in five minutes! But ooohhhh no, we couldn't solve the REAL problem, could we? No, we'll just keep farting around doing nothing about it.
Anybody refute this? Show me ONE spam incident where the server access log doesn't show a drolling moron running Windows with no service packs/security updates.
One can come up with all kinds of trick to filter spam, however, the problem still remains. Spam will continue as long as it is profitable. There are too many "Puppies in a barrel" for a spammer to choose. After many, many years of prodding, many people have finally gotten antivirus program, yet they neglect to download or purchase virus database updates. Many people spend time and effort to ensure that their computers are malware
.
free, yet their router retains the default username and admin password. Spammers have programs that allow people to try to log in to these routers and use their embedded telnet commands to send spam without the knowledge of the computer owner or any program residing on their computer. The point is that the Internet can be compared more to "swiss cheese" rather than the "series of tubes" that the politicians use. There are many, many points of attack for spammers to use.
Filtering spam is much akin to a person who holds hands in front of his or her face while a bully is pummeling him or her. The person is likely to fend off blows from the bully, but some of the blows will get through. Once a spam is sent, even if properly filtered, the damage has already been done. Until very recently, all I had in my area was dialup. My program successfully filtered about 99% of the spam received, however I still had to wait about 30 minutes before I was able to view my legitimate mail. I lost 30 minutes of time that I could have been working on a client's problem, while the spammer lost nothing. I also lost a client because a program that I previous used labeled his email he sent me as spam. Again the spammer who spammed me lost nothing. Spammers are like bullies, they will not stop until people HIT BACK!
It is only when spammers have to deal with the large amount of bandwith used, the processing power to handle complaints, and the loss of sales that result from efforts to filter complaints will spam be much less profitable. The idea is to punch back and deter the bully. Sending complaints to the spammers' websites get them at their weak point - the place where they make contact with potential buyers. Several program have attempted to hit back, and 2 of them were very successful in doing so. However, like spammers, these programs had a weak point, and that point was the fact that they needed a central server in order to instruct each individual program. Now things are different. There are several projects currently underway to trade complaint instruction files via peer to peer networks. What this means is that there is no central server which spammers can attack in order to silence complaints to their websites. One such project is called SpammerSkewer, and it is an open source GPL program that is in alpha. The program can be found at http://spammerskewer.sourceforge.net/
It is also important to note that these new programs are not distributed denial of service programs. As for SpammerSkewer, it only receives instructions on how to complain. It does not initiate complaints. Only a user can initiate a complaint by either bringing up the complaint interface or by dragging an email into SpammerSkewer's spam directory. It is the Spammer who determines how many complaints are submitted to their websites. SpammerSkewer's author even provides a way for spammers to "opt out" from receiving complaints if they insert a header clearly labeling their email as spam. Another way they can opt out is by not sending spam in the first place. In a distributed denial of service attack, a person other than the one who controls a victim's website is the one that controls how many visits a site receives. With SpammerSkewer, it is the Spammer who sends out the spam that determines how many visits a site advertised via spam gets. The only sites that are put in SPammerSkewer's instruction files are those well known to be advertised via spam. Instruction files are also cryptographically signed in order to prevent tampering. I
I want to make a program that you can give a spam link (or many links) to and it will access that website over and over and over again when my computer is idle. How 'bout fighting back? Get enough people to use this program and you have a legitimate force.
Send a spam e-mail.....get slashdotted. How about that?
Tolerance does not tolerate intolerance, or hypocrisy.
... www.senderbase.org?
"SenderBase is the technology that allows IronPort Reputation Filters to block 75% of incoming spam at the connection level, with less than 1 in 1M false positives. SenderBase also enables IronPort Virus Outbreak Filters to stop virus outbreaks as much as 42 hours ahead of industry standard signature availability. Only IronPort has access to the global traffic data of SenderBase."
You just invented Blue Frog. They essentially shut down after the DDOS attacks got to be too expensive.
My software is nothing like blue frog. Blue frog would give you tools to easily get your e-mail removed from the spammers lists. They folded because spammers targeted DDOS attacks on their servers and made the software unusable. My software would basically launch a DDOS attack on anyone that sent out a spam e-mail to people that had my software. The more people you send out spam to, the larger the DDOS attack. The recipient of the e-mail has the final word on what is spam and is not. I think this would at least make spammers think about who they send e-mail to. At least if they actually targeted people that might be interested, not just any valid e-mail, the spam volume would reduce immensely.
Tolerance does not tolerate intolerance, or hypocrisy.
Yeah, this is pretty well understood by the content filtering community. The spam problem was solved several years ago, but most administraters still refuse to do any of their own work to implement a working solution and expect someone else to give them a button to push to solve it. Hence the arms race.
It works for you because you spent hours doing research and training. It works for everyone else who does the same thing. Despite the "common knowledge" that "bayesian filters can be beaten", no one has yet published any evidence demonstrating that a properly-configured filter can be beaten in any significant degree without making ridiculous, easily-defeatable assumptions.
Complaints that setting these filters up correctly are "too hard" are ridiculous when you compare the time most people spend day after day trying to stay ahead of the arms race vs. the up front time needed to configure a decent content filter and then leave it alone. Even the ongoing training can be (mostly) automated. And false positives are just more indication the filter isn't configured correctly.
This bit from TFA:
"Statistical (bayesian) scanning is easily defeated by randomization; numerous techniques exist to avoid keyword-based detection and new methods surface regularly. Content scanning is also known to suffer from false positives."
is particulary absurd, since anyone who knows anything about Bayesian Classifiers knows that _random_ words are never going to show any statistical significance at all unless your normal, legit mail flow is also comprised of the same "random" words. NBCs look for statistically significant anamolies, they aren't fooled by mere randomness.
Do spammers try to poison Bayesian filters with random words? Yes, certainly. Has anyone demonstrated real, verifiable evidence that this has any effect at all against properly configured filters? No. But people are so used to losing, they assume they've lost once they see the attempt.
Chances are the people that actually send the spam messages (those who control the botnets) are not the people making money from stock scams, phishing, or sales of pirated software.
In the same way legitimate businesses will pay marketing companies to run advertising campaigns, design, send and manage email distribution lists, etc, less legitimate 'businesses' pay spammers to send out their message to as many people as possible.
So yes, they do get paid - just not by the victims of the spam.
Thanks for the reply. That's more or less what I thought. I didn't mean to offend anyone by implying spam isn't bad... it is bad. But it just seems like the industrious user can all but eliminate it these days. I think it is critical with bayesian classifiers that it is per-user. We have a site-wide implementation at work which sucks and I asked them to turn off (false positives and still too much spam slipping through) so I could manage it myself. Actually, I'm not even sure how a site-wide one could possibly work as intended. Some default configs also take shortcuts like having the filter self-teach, which is stupid, because that means it just learns to repeat mistakes.
Anyways, as usual, the devil is in the details.
Cheers.
Spamming makes money for some people, because "there's a sucker born every minute, and two to take him", and spammers are happy to sell to the sucker, the two that want to take him, or both. It doesn't matter that some spammers are wanabees who lose money; if they fall off the map, there are more replacements on the way. If spamming didn't work, there wouldn't be so much of it, and it wouldn't be increasing in volume so fast.
We don't care why spammers think they can find suckers - we only care how, because that offers some hints for how to detect them and either kill them or distract them into areas where they spam each other and leave us alone, optionally while we sell them bandwidth or imaginary hosting space in Nigeria or whatever. If we can make it technically infeasible or economically non-profitable to spam *us*, they'll stop spamming us, but otherwise they'll keep it up.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
the experience of others indicates that baysean filters are no longer as effective as they need to be
That's interesting... I thought the proof would work the other way: if I can make it work then doesn't that prove they are effective? I don't know if you feel you are happy with your own spam filtering, but if you can install spamassassin I'd be happy to share my setup with you.
Cheers.
Anything that requires cooperation with the ISP's are probably going to fail. Spam mail will usually be coming from a huge variety of IP addresses. In the past, I've kept statistical record of IP addresses, and the pattern usually comes from a lot of Cable and DSL users who were no doubt unaware their PC's were part of a large botnet.
/. with contact info, and I'll contact you. If the Russian Mafia knows who I am, I'm sure they can "touch" me - so I wish to remain anonymous.
In 2004, from July (After HOPE), I deployed a proof of performance system which involved
aggressively reporting ALL spam, going far far beyond what SpamCop is doing. It shut down over 500,000 infected machines... infiltrating the Russian language spammers chat channels, we leard how effective it was. Brightmail reported a 20% drop in spam while I was running these tests. I realize now it needs a lot of streamlining, and now the Whois servers won't allow automatic polling anymore, I abandoned the project by November.
if I can have a "nice" way to poll whois servers on about 20 - 30 IP addresses automatically, I can realize such a system might be useful to others.
I wasn't interested in making it available to others, because I thought it could be abused, because if just one non-spam message gets reported, that poor unluckey person won't have internet service until they call and explain. Most of the time I spent care and feeding this puppy was to have a very clean "spam pot" of 100% spam. I was reporting about 25,000 spams a day (something you can't do from home DSL or cable), from my Co-Location's T3.
The ISP's really liked the reports. They contain any and all information the ISP is going to need to identify the infected machine, and it even aggregates reports into a CSV file defined by the ISP's needs.
The net result is this, according to my statistical reports... the average lifetime of
an infected host is 6 - 10 days before it's discovered and shut down, and some NEVER get shut down because the ISP's dont give a crap or they are offshore. For Chinese ISP's I wasn't sending them spam reports, instead I was sending them spam reports to the American Gateways providing China's Connectivity to the States, Scolding them for not taking a more
active approach and pressure the Chinese to be more aggressive. Seems to have worked to some extent...
When we ran our "Proof" code, the average lifetime of a zombie was hours instead of days. ISP's late in dealing with our reports were scolded and sent more reports to their upstream providers. Eventually, some in my list of ISP's I'm reporting to, will usually deal with them within hours... some will immediately cut off a subscribers access as soon as more then 3 spam messages tied to their IP block are noticed. User would then wind up calling the ISP, who then would notify them that they need to clean their PC's before being allowed on.
About 15% of the IP addresses had incorrect Whois information. Where were intered into a dated database, and are automatically mailed out to ARIN, APNIC or others to inform them their records are outdated. In this process, we nailed down several instances where some large upstream cisco routers had been hacked, and some unused IP addresses were snatched up for spamming purposes.
if I can solve the problem of obtaining accurate Whois on IP blocks and acquire accurate CIDR blocks of spam originating machines, I might reserrect it again.
If anyone wants to contact me on this, then please leave a message here in
Because replying to these messages just winds up going to some forged address, and in the past, some people get flooded if their Email address is used as a Reply-To address.
Anyone who replies to spam messages should know that in most cases, it goes nowhere but to some innocent person who happens to have that reply-to address.
The only way to identify the TRUE location of where the message comes from is the First
recieved line's IP address in backets [202.12.12.1] like this. It only identifies the IP block of some machine in some botnet, and the owner is usually unaware it's their machine that send that particular spam message. A whois will give you details of the owner of that IP block, but due to privacy laws, it's impossible for us mere mortals to know who's machine it is. A court supena when submitted to the ISP might result in some action. ISP's will only give this info to Law Enforcement agencies.
If you have a lot of money to burn, and want to hire an attorney, a PI, and other professionals to go after them, FAR OUT - Knock your self out - all of us will get behind you.
If people really want to stop spam, they have to stop using the same linear thinking that caused the arms race "Don't want that email, must block source" and attack the ROOT CAUSE of the problem. The majority of spam has one underlying purpose, to direct Internet traffic to a destination for the purpose of making profit for the spammer. I propose a simple solution.
:)
A consortium of ISPs agrees to block all access TO a site advertised in spam emails sent to recipients of that service. i.e. Someone spams tens of thousands of AOL customers telling them to go to www.bigblacktitties.net. Instead of blocking the email, AOL blocks any of the people on their ISP from surfing TO that URL. An automated message is also sent out to other consortium members with the URL, and that address is then blocked on all of them as well.
This solution hits spammers where it hurts. By spamming a broad audience to promote a site, they end up making their site invisible to millions of potential prospects. They want to drive traffic to their site, not prevent people from being able to get there!
Blocking the sender will never work because of spoofing. Blocking the DESTINATION is far more effective.
NOTES:
* No the system isn't automated, an admin adds sites to the block list to prevent malicious attempts to block legitimate sites.
* Users attempting to connect to the blacklisted destination get an automated message that the site was blacklisted due to being associated with spam, fraud, phishing, or some other TOS violation. It also gives them instructions on how to reactivate that address just for themselves. This allows legitimate customers of bigblacktitties.com to regain access, but puts the onus on them to initiate this and can tip off ignorant suckers to potential scams (i.e. like when they get the fake paypal phishing page and it wont even load the images because its been blocked)
Site-wide can work. It just takes some extra tuning considerations. See e.g. http://www.usenix.org/events/lisa04/tech/blosser.h tml
;-)
The predictions were that it wasn't feasible but the evidence from multiple quarters hasn't supported that so far. I'm not sure anyone has published anything on *why* that might be yet, but it is probable that there are population size break points between which legit mail is relatively homogenous enough to still be distinguishable from spam. In our environment the filter can tell the difference between wanted and unwanted mails coming from the same opt-in vendor newsletter to multiple business recipients.
If you guys had a DFW office I might be convinced to come show you.
And self-updating classifiers are Russian roulette.
It's still running SMTP, but instead of running a full-scale turing-machine-complete bells-and-whistles mail forwarding and delivery extravaganza like Sendmail, or the somewhat lighter postfix / qmail / etc., all of which have to manage complex delivery rules, spam filters, and mail relay capabilities, spamd is basically configured to do some simple spam-repeller rules, relay mail that's potentially not spam to your real MTA, and optionally harass anyone that looks spammy. This makes 50-90% of the email go away, letting your memory-hogging CPU intensive spam filters and mail delivery engine handle the more clever spam and the occasional real message.
It doesn't take that much resource to do basic SMTP and greylisting. After all, Sendmail originally ran on a PDP-11, as did UUCP, and it's mostly a simple state machine that does a couple of handshake plus keeping a simple database lookup - and the database doesn't need to be an SQL engine, just a simple hash table or Berkeley DB or equivalent, keeping track of an IP address and a timestamp, plus another list or two of valid email usernames, known evil sites, etc.
Spamd has another big advantage, which is that cleverness of spam content and cleverness of spam delivery method aren't closely correlated. The spam that puts lots of work into embedding images in the message body or being the most uniquely plaintive Nigerian widow may be harder for your CPU-burning Bayesian filters to crunch, but it may be delivered from known zombies or high-performance delivery engines that don't slow down to respond to return codes, so you can save a lot of transferred bits and CPU just by greylisting or by running slowly for the first few seconds. And some of the really clever spam/phishing writers are using stolen address space, which is a really clever delivery system that doesn't survive greylisting either.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Please post it to a web page where everyone can benefit. Undoubtedly your configuration is more effective than those used by many people, probably including me. If I may humbly submit, however, it is not my own inbox that I have in mind when I suggest that spam is a real problem. One of my clients rejects so many messages at their gateway that they generate about 1 GB of logging messages about that activity each day. Despite several very competently designed antispam layers, including spamassassin, at least 1 GB of spam still gets through each day. They are responsible for many thousands of inboxen. Even if only 1 in 900 spam leak through, it's still a huge, huge problem. Spam accounts for the majority of email traffic on the internet. Spammers can and do generate messages which defeat baysean filters. It is a real, large, and growing problem.
If you could solve the spam problem with your SpamAssassin rules, you would be an internet hero and perhaps could become very wealthy as a result. Why are you hiding out in a slashdot forum when you can help save the world from spam?
now don't talk to me about the polar bear
don't talk to me about the ozone layer
ain't much of anything these days, even the air
they're running out of rhinos - what do I care?
let's hear it for the dolphin - let's hear it for the trees
ain't running out of nothing in my deep freeze
it's casual entertaining - we aim to please
at my party
-- Dire Straits
If you mod me down, I shall become more powerful than you could possibly imagine.
The article says: "Statistical (bayesian) scanning is easily defeated by randomization".
This is simply not true and I guess folks at hexview haven't met any real bayesian anti-spam application. I develope (and use!) a statistical (though not Bayesian but inverse chi square) content filter and I can tell you that it's far from "being defeated". I get lots of spam every day and it marks them correctly and catches at least 99.5% of the spam easily.
Nowdays most of the spam is sent by botnets as illustrated in the "Many-To-One" scenario. They accept that it's a difficult to handle situation and heuristic filtering is required unless the bots send a high email traffic. What about new botnets, unknown to the STP system? Bayesian filters can handle this. A typical shortcoming of this STP thing is that they cannot handle situations when you get spam from a low traffic host or if your colleauge bothers you with some stuff. Statistical filter can help you with this, too. It's unacceptable for me if a 3rd party judges my emails whether they are spam or not. That's why I keep avoiding solutions like STP, RBL, ...
You are right! I shall retire off the proceeds from referring people to the spamassassion man page!
More seriously, I'm not saying that I can solve the world's spam problem, just that a motivated person can make spam a non-issue for themselves.
Actually I already posted my config in reply to another comment, but more importantly you have to feed it properly.
I think there may be a misunderstanding of what bayesian filters do when it is said that spammers can "generate messages which defeat baysean filters". Which bayesian filters? Certainly not all, because they're all different. That's the point. Unless you're using them site-wide, which kind of misses the point.
Anyways, I'm pretty sure I'm not convincing you of anything, but I thought I'd wind down with that.
Cheers.
* keep it legal (a straight DDoS is not legal, and your users would expose themselves to legal repercussions)
* involve human-written scripts to access the spamvertized company's site, so that the response (a complaint) would be successfully delivered in the most effective way possible.
The legal question is essential. You need more than a few hundred (or a few thousand) people using the software, or the impact is negligible and avoidable. And of course if the spammers just manage to get one of your users or YOU heavily fined or jailed for DDoS attacks, that pretty much finishes it.
So BlueFrog was designed on the idea that one spam = one complaint on the spamvertized company's server, often submitted into an order form or something like that to get their attention. Unfortunately for their model, they managed this by having users send all spam to a central server, where they processed it and sent reporting scripts back out to the clients, who would submit the actual complaints. Obviously this presented an attackable weak link. The complaints would include text that told the spammer how to download software to clean *all* bluefrog users from their lists... unfortunately (this was the other, smaller flaw) the spammers could figure out the blue frog users on their lists by doing a simple compare of lists pre & post cleaning. Then harass them directly... though the number of users was high enough that this didn't amount to much in the end.
Personally, I STILL think this is the closest anyone has come to a successful campaign against spam. There's a project set up to create a similar, but distributed, system at http://okopipi.org/ if you are interested in pitching in and solving the remaining issues.
Just please don't create yet another DDoS against spammers tool (there are others out there already, of course) that is blatantly illegal to use and thus cannot be anything more than a mild irritation to spammers.
SPAM is a real problem which has threatened to make email unusable. If we professionals don't acknowledge that this is a real problem and figure out how to fix it, email will become such an annoyance for people that they will stop using it. I submit that in fact this is already happening. Ordinary people who don't make their living in Information Technology are already abandoning email. Why? SPAM makes email a pain in their backside.
Yes, that's what you are saying. Unfortunately, this isn't a relevant point. Just because you, a Ninja, can walk safely through the streets of a crime-ridden neighborhood doesn't mean that this neighborhood would be safe for your grandmother, too. Your answer is the naive (or perhaps merely innocent) equivalent of "Grandma can be safe if only she too became a ninja!"
So, can your grandmother "properly feed" her baysean filter? (Thanks for posting your configuration. I'll take a peek at it, and I'm sure others will benefit. I'm not calling you a liar, I'm simply pointing out that your solution isn't scalable. It's not like there are not lots of smart people using the same tools to fix this problem. It's still a problem. Something is obviously not working.)
There have been quite a few articles about this problem in the past couple of months. Here's one: Spam on the rise with new breeds Researchers say spam has risen significantly in recent months -- by as much as 80 percent
If you mod me down, I shall become more powerful than you could possibly imagine.
- White Knight of the Order of Mihoshi Enthusiasts
Hell let me just give you some numbers. I'm terminating 760 ATM PVCs (DSL customers) on this router. It's rejected 359,093 outgoing tcp/25 flows since I last updated that ACL 1.5 months ago. Over here I have about 800 cable customers. It has rejected 4,217,900 outgoing tcp/25 flows in the same time frame. Over here I have a pair of routers for a dual-home CMTS with 411 customers on it. Between the 2 routers in 2 months time they've rejected 8,918,045 outgoing tcp/25 flows.
Mind you these ACL counters only increment on flows, not individual packets. That's 13.5 million (say it with me again, 13.5 million) tcp/25 flows from less than 2000 customers that have been blocked by this simple, yet obviously effective, ACL. That's a lot of spam we've blocked and this is only a snapshot of a small window into our network. That's spam that would have ended up in your inbox. Ya'll can thank me later by buying me a beer at NANOG.
Naysayers who bitch and moan about their ISP blocking tcp/25 which keeps them from running a poorly configured and ill-maintained SMTP server on a residential broadband connection need to get a grip on reality. Their ISP is acting responsibly. Their ISP is doing what it can to stem the tide of spam flowing from its networks. I'm not responsible for a given user's personal PC. I am responsible for making sure that their neighbor, another paying customer of mine that isn't spamming the world, gets the service they're paying for. If my unsecured spamming customer #1 causes us to get our entire ARIN allotment listed on an overly aggressive and irresponsible DNSBL (I'm not saying all; I'm only saying that a few are run by 12 year olds that hurt the rest of the anti-spamming community of which I'm a card-carrying member) which in turn is stuffed into a BGP feed and dropped by an idiot netadm somewhere else in the world then customer #2 is not getting their money's worth. I'll gladly kick out customer #1 to meet my SLAs with customers #2-#n. Unfortunately by that point it's too damn late. Customer #1 has caused me weeks of grief and had caused customers #2-#n to become unhappy with my services. The fix is to keep Customer #1 from inadvertently becoming a pain in the ass.
If you want to run a SMTP server then rent a damn co-lo server or a virtual slice of one. Myself and other mail and netadms go out of our way to block tcp/25 traffic from any dynamically-assigned netblocks of our peer SPs. We willfully share this information with other SPs and we rarely have trouble getting it in return. If you want your mail to be received by a large percentage of the world then you'd better not be relying on a SMTP daemon you set up on your mother's PC. SMTP is only as reliable as the effort you put into making it so.
This isn't a reasonable thing. Repeat after me people, the willy nilly free love days of the Internet ARE OVER. Running a SMTP server on your home PC is not a reasonable thing to do. All responsible ISPs will block outgoing tcp/25 to dynamically assigned residential customers. I do this. If you want to run a server then get yourself a 1U co-lo or a virtual slice of a server for $10/month. Stop being part of the problem. Stop running SMTP daemons on your mother's PC.
Users like yourself are not desired by any ISP. You're a member of the elite and self-righteous groups of users we fondly call pain-in-the-ass users.
We're not just blocking outbound tcp/25 to protect you. We're doing this to protect 99.999% of our userbase that doesn't abuse our services and stretch our networks to the extreme. Frankly we ISPs don't care about users like yourself. You increase our support costs. You bitch and moan about everything. You put up websites to flame your ISP because they happen to have an maintenance window when you wanted to play WoW through the wee hours of the morning. You bitch and moan because network congestion caused by other users like yourself adversely affect your Skype traffic, even though you won't pony up for a DSL with QoS.
If you want to run a server then buy a damn server and rack in up in a co-lo where servers belong. Or buy a business connection because that's what your traffic level meet. If you want residential broadband then buy residential broadband. The two are mutually exclusive.
Thanks for you misguided rant, quite amusing.
My ISP (and I mean mine, I'm a shareholder) doesn't give a flying fuck what I do with the bandwidth I paid for (and yes, I do pay). The fixed IP of my 2Mb ADSL suits my needs, and many of the needs of other business users we have as customers, extra QoS not required
Get off your high horse and suck it's cock.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter