I administer a mail server for a small ISP. The problem with filtering on the user's end is that my costs are consumed by the time the user deals with the spam. I don't think, as the article suggests, that spammers will slow down if their message is not being read, in fact they will just spew out ever more spam. If a 1/10 of 1% hit rate does not deter them, a smaller hit rate won't either.
I have to put some upper limit to the amount of storage I can give each person (right now I allow 100M, which I think is quite reasonable). But if a user goes on vacation and does not check their e-mail for a month, they could have their inbox filled with spam and viruses (not much difference these days, from a server admin point of view). This will preven legitamate messages from coming through. Therefore, I use the following technical measures to help reduce spam:
RBLs: dnsbl.njabl.org, sbl.spamhaus.org, xbl.spamhaus.org, and dul.dnsbl.sorbs.net
SPF:Sender (not adopted widely yet, but it does block a few messages a day even now)
Blocking specific subject lines (during virus outbreaks this can help)
Blocking mail "from" non-existant domains
I really have no choice, I cannot afford not to take these measures. I explain all of them to my clients, nobody has had a problem yet. These measures catch roughly 75% of spam and viruses, and as far as I know, no false positives.
The harder it is to find an open relay or other means of injecting spam, the better. It makes spam busting technology work better (e.g. blacklists and other filters) and life more difficult for spammers.
In any case, as the story made clear, if your IP addresses are the source of spam, prepare to be blacklisted. Is being blacklisted so bad? All it means is you will have difficulty running a mail server. Why does everybody have to run a mobile mail server?
I run a non-profit wireless ISP, we make no mistake about our policies. We NAT to private address space, block everything, then open up selected ports that we feel are not subject to abuse. Sorry, but it is, after all, free access. A few people have noticed (not complained) that they cannot access their older e-mail systems (not using SSL, using port 25 for initial mail submission). However, VPNs, and most encrypted connections (including SSH!) are permitted. We don't care what you do on our network, but we're not willing to accept responsibility for innapropriate activity.
Nice comparision, but what about dual or quad processor systems? I have recently installed both FreeBSD 4.9 and 5.2.1 on (almost) identical dual-Xeon servers. Both are operating as if they had 4 processors (due to HTT). How would the Athelon, etc. stack up with this setup (seriously, I'd like to know)? Maybe HTT realy shines on multiple CPU systems, not just mon-processor? Maybe.
BTW- FreeBSD (either version) on a brand new Dell rack-mount server, with hardware RAID, 2GB RAM, dual processor (of course) makes for a very fast server! I have them configured mostly as web servers, a number of Perl generated dynamic pages (ad serving mostly), rsync, CVS repository, Cyrus and Sendmail (w/SASL AUTH and TLS/SSL), MySQL, and a custom rsync staging/production environment. When I run top, it sure is nice to every now and then see 2 processors at almost 100% utilization, yet also show 50% idle. I have no benchmarks to report, alas these are production machines in use.
This is something of a nightmare for cafe operators, we can hardly block outbound smtp...
If you operate a public Internet access point (school, library, cafe, city park, etc.) please block egress port 25 traffic! Your patrons do not need to pretend to be an e-mail server. To allow such traffic to come from your network is to invite spammers, scammers, and so on to operate freely with your resources. Anyone needing legitimate e-mail access can use webmail or pester their ISP or business to use SMTP+AUTH+SSL/TLS for initial mail submission (on a port other than 25, of course).
Configuring a SMTP server to handle this in not difficult for a reasonably skilled sys admin, so no excuses!
Good overview, all things considered. I would like to add to one of his conclusions (from part 1):
IMAP can be used with SSL and supports secure authentication, but not all servers support this.
SMTP also supports SSL or TLS but again, many organization's servers do not support this or use only
server-side certificates.
This conclusion is correct, but why is this considered a stopping point? Mail admins-- get off your
collective butts and add encryption and authentication to your mail servers! The author also forgot to
mention that server side certificates are not necessary for SMTP, SMTP+AUTH addresses this quite nicely.
Note that such measures are not necessary for most users. Home users that use their ISP's mail server
don't have to implement any of this, since the ISP can already account for the user. Let us not forget
that "most users" do not have the e-mail needs that many Slashdot readers do. For those needing roaming
access and multiple addresses, use IMAPS and SMTP+SSL+AUTH.
Just to reiterate, I am not against anonymous e-mail. True, I do not consider it as vital as you do. This is a philisophocal disagreement, fair enough. But I do run a mail server, with many clients and a great many e-mail accounts I am responsible for. My clients have expressed an interest in keeping their inboxes as free of junk as possible, and I hope to oblige them.
This is my choice, and I have outlined this to my clients. They are aware of the multiple RBLs I use. They are aware I have the server set to reject any incoming mail from non-existant domains. They are aware that I will continue to explore and implement further techniques to help what we feel is a very real problem.
Forging e-mail headers to bypass methods that I use and that I propose is illegal-- under current fraud laws. I certainly do not think sending anonymous e-mail should be illegal. If someone wants to set up an anonymous remailer system, that is fine with me. If I notice abuse, however I wish to define it, I will block incoming mail from that system. No laws are necessary, only technology.
I am not delusional, I do not think any of what I propose will eliminate spam! Someone will still be able to get an AOL account, and send out a couple hundred stock market pump-n-dump spams. Nothing can premptively stop that (AOL will cancel that account, of course). But right now, shady marketers in the U.S. are paying criminal gangs in the former USSR to send out millions of messages-- via hijacked home computers on cable modems. All anonymously. To use your drug war analogy, it's not the drug use/abuse I have a problem with. It's the carjacking and murder I have a problem with.
I propose that Pobox allow you to SMTP to their server on a port other than 25 (465 or 587). That quite nicely takes care of the problem, and is an easy change in your mail client settings.
Your argumentative methods are, creative? Where to start...
Well I guess you finally admit it in paragraph #3,... Why is it so hard to admit?
Admit what? That anonymous e-mail has serious issues? I never said I wanted to eliminate anonymous e-mail. I have suggested technical changes to the status quo. I have "admited" that this will make anonymous messaging more difficult. My friend, the world is not a binary place. It's not a choice of either 100% e-mail freedom versus draconian Nazi oversight. While it makes your argument easier to look at it that way, as you get older you will realize that often compromise is necessary for progress. I have suggested a compromise, that I believe will make e-mail more useful for everyone-- even you. That's right, besides less spam and virus infections in your inbox, your e-mails will be more likely to be read.
You don't want to track the user you just want to track their computer?
Yes. If you connect to my SMTP server, I want to know what computer was responsible. I will do everything I can to block any message originating from systems that mask, obscure, forge, or otherwise make it more difficult to track down abuse. So will AOL, and other large ISPs that are tired of dealing with the rampant abuse that comes with the status quo. If you run your own mail server, you are free to allow whatever you want. God bless America.
If I want to send a message to my father... I have to post it to/.
I was not suggesting that the only way you could send mystery messages to your father was through Slashdot. I quite clearly identified that suggestion as an example (hint- I used the word "example").
All the reasons to possibly eliminate anonymous email...
See above. I did not propose eliminating anonymous e-mail. I proposed technical changes that will make certain types of behavior more difficult.
it is an embarrassment to offer to trade your own anonymity... to reduce spam
Once again, I offer no such trade. No embarrassment at all-- where did you get that? You are making things up, nowhere did I suggest embarrassment on my part. However, I will admit I am embarrassed when I set e-mail up for the first time for a friend or relative, and a few days later their inbox is filled with penis enlargement salves and breast enlargment pills (or the other way around).
...to offer the anonymity of others in the deal is deplorable
Again, I offered no such binary option. You might want to look up the word "deplorable". It is one of those big words that is overused, mostly by people running for office.
...the painful dance you did around your answer
Not painful at all. I did not consider my only options for addressing your concerns to be:
"Yes you are 100% correct, anonymity must be preserved"
"No, you are wrong-- we must eliminate anonymity at all costs"
As I noted above, my suggestions do not consider anonymity at all. Smarter minds than ours will find a way to deal with such things, as long as there are people who want it. I am proposing technical changes that will reduce the amount of abuse of the e-mail system in everyone's inbox. Current estimates peg that at 60%-- six out of every ten e-mails are spam (that does not include virus breakouts). I consider that a problem and I propose a solution. You are twisting any argument that threatens your ease of anonymity-- something you have taken for granted. With all due respect, you are not making a positive contribution to the discussion. Perhaps you should step aside-- or even better, volunteer to administer a large e-mail system. Offer to pay for the additional hard drives and
When the SoBig virus hit, I was innundated with messages that originated from workstations at Booz Allen (as well as other companies, they are just an example). Over 60 unique IP addresses, all from the Falls Church (Virginia) office (same class C). Their IT department had a firewall in place, but it allowed all of those workstations to spew to remote SMTP servers at will. Even after they realized they had a massive problem, they still did not block egress port 25 traffic. That was irresponsible. A simple move on their part would have not only slowed down the spread of the virus, but saved them from a great deal of embarassment. It's that simple.
Wide open SMTP is a problem. If we don't address it now, it will continue to get worse. Yes, we need to throw the baby (existing forwarding services, anonymous remailers, "send this page to a friend" scripts) with the bathwater (viruses, spam, 419 fraud, etc.). It's not that tough to deal with the necessary changes.
SMTP+AUTH+SSL for initial mail submission on ports other than 25
People have been using the limitations of SMTP for many things, some are quite innocent (forwarding, creating "send this page to a friend" scripts on web sites, etc.), and some are quite abusive (spam, viruses, 419 fraud, etc.). To a certain degree, it is time to throw the baby out with the bathwater. There is quite a bit of spam that has been produced by abusing web sites that allow "send this page to a friend", where you type in your e-mail address that appears as the "From:". While it is a nifty idea, it is just too easy to abuse, and thus it has been abused. It should have never been possible in the first place-- that was a flaw in SMTP.
Forwarding is another thing. It looks like you use pobox.com for forwarding-- they are the folks that invented SPF, and they have come up with a way to deal with forwarding that SPF does not break. I think their point is valid-- "SPF does not break forwarding, forwarding breaks SPF".
OK, I'll bite. What allows spam to linger as a problem are the limitations of SMTP. I think we need to eliminate those shortcomings, in particular the ease of assuming whatever identity one wishes when mail is sent, and the ability to use almost any server to handle the mail transport for you. Some people have been utilizing those shortcomings for non-abusive purposes. Many more have been abusing those shortcomings for spam and fraud.
When cars were first invented, you did not have to get a licence-- either for your car or to allow you to drive. The earliest cars didn't even have keys, anyone could crank it up and drive. Times changed, and some of the freedoms enjoyed by early automobile pioneers dissapeared.
For the most part, yes-- I want to eliminate this type of anonymous email (using any random SMTP server that you may or may not be authorized to use). There are many other ways to send messages anonymously, for example posting as an AC on Slashdot (your method of choice, which is fine with me). However, blocking port 25 does not necessarily have to do with anonymity, it has to do with correcting a problem with SMTP. I am not as concerned with being able to track the sender of a message, as much as I am concerned with tracking the source (as in computer) of the message. Any source that has an unusualy high amount of abuse (spam, viruses) needs to have its operator informed. Random Windows machines on cable modems infected with [insert virus of the week here] do not have an operator, and should not be permitted to connect to SMTP servers for the purposes of abuse. ISPs can help by blocking egress port 25.
It would thus follow, by your logic, that 280+ million Americans produce 60% of the world E-mail while 200+ million Germans French and English are responsible for only 1.83%+1.50%+1.31%=4.64% of it?
How does that follow? You have jumped from total e-mail traffic to total population-- that is a massive (incorrect) logical leap. I think you are missing the point entirely. The statement "The U.S. produces 60% of all spam" cannot be considered by itself. There are too many other factors to consider before reaching ANY conclusions.
I think the answer we are all looking for is how to put a dent in spam. This single number, by itself, does not give us any answers-- indeed it does not even point us in the right direction. We need the following raw numbers:
Total email messages sent
Total messages sent that are considered spam
Total sources of email (unique SMTP servers)
Total sources of spam (unique SMTP servers)
Total hijacked SMTP servers
Total hijacked Windows workstations
Breakdown, by country, of above
Breakdown, by country, of original sources of spam (acting as a client to one of the above SMTP servers)
Breakdown, by country, of spamvertised web sites
And probably a few more numbers. That will allow some real numbers that mean something.
I think it is time that ISPs block, by default, all outbound port 25 traffic. Customers can either:
Use the ISPs mail server (this accomodates 90% right away)
Use a VPN or SMTP+AUTH(+SSL) on an alternate port to connect to their SMTP server of choice (this accomodates another 9%)
For the remaining few that just have to run their own SMTP server, let them have a static IP and open up the ports
Of course, some consumer ISPs won't be willing to deal with the headaches of option #3, or perhaps might charge a bit more for it, which is entirely fair. Businesses need to block all egress port 25 period, there is rarely a legitamate need for an employee to run their own SMTP server (unless they work in the IT department, but then they can probably open the port up themselves).
I run my own SMTP server, too. I have a static IP address, and if there are any problems (e.g. spam), they know exactly where to find me. So does anyone else, they can do a standard reverse lookup on my IP address. I have nothing to hide.
If you can run an SMTP server on a static IP address, with correct reverse DNS entries (so I can find out who you are with a simple 'dig -x'), there should be no problem with your ISP letting you do whatever you want to. Plus, the mail you send to other systems won't "smell" like spam.
Surely you realize that you are in the minority-- most ISP's users (I assume you were referring to a server you run at home, or off a DSL or cable modem) do not run their own SMTP server. Correction-- they do not intend to. Many end up running one after they are infected with a trojan of some sort. To the outside world, what is the difference between you (I will assume you know what you're doing), and a trojan infected Windows XP home computer? Both look like 23-54-120-4.dynamic.isp.net when I look up the IP address. For an ISP to cut off port 25 after discovering the abuse is several million spam too late.
Follow the cash. How does spam work? It works by getting someone to give the spammer money. Go after the money. Unfortunately, the CAN-SPAM act makes this more difficult, since individuals cannot go after the spammers, only ISPs.
Here's what we need to have in law:
Hold those relaying spam responsible. You have an open relay? You are liable for any spam coming from your server. No more "pink" contracts.
ISPs should be held accountable for zombies on their network. Block egress port 25, or else he held responsible for spam spewing from your system. Wake up and administer your system, or pay someone that knows how.
If you sell a product or service via spam, even if you hire a third party do do the dirty work you will be held responsible.
Allow individuals to file civil suits. Unload the army of american lawyers on spammers, and create a bounty system as suggested by Larry Lessig.
we are going to have to have more overhead in a "new" SMTP protocol of some sort
SMTP has been extended to allow authentication and verification of senders. Combined with some simple firewall rules on the part of ISPs and businesses, we could have this spam problem under control. Here's what we need:
If you have an SMTP server that external (to your network) clients need to use to send mail (ie initial mail submission), use SMTP+AUTH+SSL (how-to, how-to). Configure initial mail submission on a port other than port 25 (465 or 587).
ISPs, businesses, free hotspots, block egress port 25 traffic! The only reasons not to are addressed by the previous item.
Implement SPF:Sender, for your SMTP server as well as publishing the DNS records.
Use reasonable blacklists (DNSBL). As systems start to adopt the first three points (and more and more are every day), blacklist those systems that don't. They will be the only places left people could effectively send spam from. ISPs not cutting off spammers will continue to end up on blacklists, which leads to an economic hit (see original article).
Once in place (and these are just not that tough, so no whining), the economics of spamming start to change. Spammers will find it harder to set up shop. The use of hijacked Windows workstations is eliminated through egress port 25 blocking and blacklists. Spammer friendly ISPs are blacklisted, so that no longer works. Inboxes throughout the world rejoice. The Russian mob surrenders. The world plunges into a thousand years of peace, prosperity, and happiness.
Old article, from 1982, but quite revealing (I think there was a posting on this to Slashdot a few years back).
The diamond trade is not only a carefuly controlled monopoly, but the whole idea of diamonds being "rare" and "valuable" is a carefuly crafted (over almost 100 years) con on (mainly) Americans.
This may illustrate one of the halmarks of open source software-- that software open to prying eyes is inherently more secure than closed source. I won't be surprised if digging through the source reveals a number of exploitable security flaws, perhaps many more than have been revealed with the source closed!
To paraphrase Bruce Schneier, if I give you the plans to my safe, and 100 identical safes with the combinations so you can study the locking mechanism in detail, and you still can't crack my safe-- that's security!
I do not wear, not have I ever worn, underpants on my head. You are incorrect on that point.
Recipients do not, generally, have a SMTP server
Actualy, they do. I guess technicaly it's not theirs, but it is one they have been given access to (by their ISP, or by their business or other organization that runs a SMTP server). That's what should be receiving mail for them, and that's where the problem is if residential users infected with [fill in this week's virus] connect to. That's why so many SMTP servers block as many DHCP IPs as they know about. I do.
When you send email you will need to be able to access port 25 on a remote machine
Not if the admin of the remote SMTP server you wish to use as your MTA knows what they're doing. Part of the problem is that initial mail submission and mail transport both use port 25. I have configured my server to allow initial mail submission on an alternate port (465), and have SMTP+AUTH+SSL running on that port. My users connect via SSL and must use a password to send mail. They can do this from any ISP, even AOL.
I certainly don't wish to deny information. Mail servers on consumer level accounts simply cause too many problems. For every properly functioning mail server behind a dialup/cable modem/residential DSL, there are 100s, if not 1000s of improperly configured servers, with almost no accountability. I am referring primarily to infected Windows machines, that like it or not, act like a mail server. Then there are the casual hobbyists that test Exchange wide open because they don't know any better, or the home user that installs WinGate and becomes an unwitting haven for spammers.
If you want to run a mail server, at least get a static IP so you can be held accountable for any improper use of the Internet you might engage in (providing a resource for spammers is considered improper).
If port 25 is blocked, we'd just get SMTP-over-HTTP
I'm not sure what you mean by that. For e-mail to be recieved, it eventualy arrives at the recipient's SMTP server on port 25. That is what I advocate blocking-- port 25 traffic from residential accounts. It does not matter if the message floats around the Internet on various ports, what matters is that infected Windows machines cannot directly connect to SMTP servers via port 25.
Actualy, if more ISPs blocked egress port 25 traffic, these types of viruses (that use their own SMTP engine) would not have been an issue in the first place. Leaving port 25 open is a bad idea for ISPs, and a bad idea for businesses that have computers on the internet.
This company does not have a toll free number, and I don't live near them. Nobody answers their phone anyway. I did call them, left a (nice) message, and nobody ever returned my call.
I once complained to "dotregistrar.com" about one of their clients. I used their web form to file the complaint, since they do not have any operational phone numbers. An e-mail address is required, so I used "alec@dotregistrar.mydoman.com" (I have configured my mail server to allow me to create these types of addresses on-the-fly). I never heard back from them, but to date I have recieved over 100 spam to that very same address!
DotRegistrar may disclose any Required Information, specified in paragraph 10, above, to third parties or to the public at large, for any purpose and at its discretion.
There is no information about data collected as part of a complaint, so I guess I was supposed to assume that. Any other dotregistrar stories? Did I "opt-in"?
Use a different port for initial mail submission. In other words, accept mail from the outside world to your users on port 25 (the standard port for MTAs to communicate). Obviously, you are already doing this. For mail from your users to the outside world (or other users, for that matter), use port 587 (submission) or even better, port 465 (smtps) with SSL or TLS for security. Now none of your users have to worry about ISPs blocking egress port 25 traffic (a practice I support, as it fixes many other problems in addition to spam-- such as Windows viruses).
SMTP+SSL+AUTH is better than POP before SMTP, now that most clients support AUTH. The trick is setting it up, see these tips for more advice:
http://www.sendmail.org/~ca/email/auth.html
http://www.sendmail.org/~ca/email/starttls.html
http://www.sendmail.org/compiling.html
(obviously, these tips are for Sendmail, but other MTAs can be similarly configured).
Slashdot Mirror
I administer a mail server for a small ISP. The problem with filtering on the user's end is that my costs are consumed by the time the user deals with the spam. I don't think, as the article suggests, that spammers will slow down if their message is not being read, in fact they will just spew out ever more spam. If a 1/10 of 1% hit rate does not deter them, a smaller hit rate won't either.
I have to put some upper limit to the amount of storage I can give each person (right now I allow 100M, which I think is quite reasonable). But if a user goes on vacation and does not check their e-mail for a month, they could have their inbox filled with spam and viruses (not much difference these days, from a server admin point of view). This will preven legitamate messages from coming through. Therefore, I use the following technical measures to help reduce spam:
- RBLs: dnsbl.njabl.org, sbl.spamhaus.org, xbl.spamhaus.org, and dul.dnsbl.sorbs.net
- SPF:Sender (not adopted widely yet, but it does block a few messages a day even now)
- Blocking specific subject lines (during virus outbreaks this can help)
- Blocking mail "from" non-existant domains
I really have no choice, I cannot afford not to take these measures. I explain all of them to my clients, nobody has had a problem yet. These measures catch roughly 75% of spam and viruses, and as far as I know, no false positives.The harder it is to find an open relay or other means of injecting spam, the better. It makes spam busting technology work better (e.g. blacklists and other filters) and life more difficult for spammers.
In any case, as the story made clear, if your IP addresses are the source of spam, prepare to be blacklisted. Is being blacklisted so bad? All it means is you will have difficulty running a mail server. Why does everybody have to run a mobile mail server?
I run a non-profit wireless ISP, we make no mistake about our policies. We NAT to private address space, block everything, then open up selected ports that we feel are not subject to abuse. Sorry, but it is, after all, free access. A few people have noticed (not complained) that they cannot access their older e-mail systems (not using SSL, using port 25 for initial mail submission). However, VPNs, and most encrypted connections (including SSH!) are permitted. We don't care what you do on our network, but we're not willing to accept responsibility for innapropriate activity.
Nice comparision, but what about dual or quad processor systems? I have recently installed both FreeBSD 4.9 and 5.2.1 on (almost) identical dual-Xeon servers. Both are operating as if they had 4 processors (due to HTT). How would the Athelon, etc. stack up with this setup (seriously, I'd like to know)? Maybe HTT realy shines on multiple CPU systems, not just mon-processor? Maybe.
BTW- FreeBSD (either version) on a brand new Dell rack-mount server, with hardware RAID, 2GB RAM, dual processor (of course) makes for a very fast server! I have them configured mostly as web servers, a number of Perl generated dynamic pages (ad serving mostly), rsync, CVS repository, Cyrus and Sendmail (w/SASL AUTH and TLS/SSL), MySQL, and a custom rsync staging/production environment. When I run top, it sure is nice to every now and then see 2 processors at almost 100% utilization, yet also show 50% idle. I have no benchmarks to report, alas these are production machines in use.
The cafe operator ought to know better:
If you operate a public Internet access point (school, library, cafe, city park, etc.) please block egress port 25 traffic! Your patrons do not need to pretend to be an e-mail server. To allow such traffic to come from your network is to invite spammers, scammers, and so on to operate freely with your resources. Anyone needing legitimate e-mail access can use webmail or pester their ISP or business to use SMTP+AUTH+SSL/TLS for initial mail submission (on a port other than 25, of course).
Configuring a SMTP server to handle this in not difficult for a reasonably skilled sys admin, so no excuses!
Not the project, just the posts. Sendmail vulnerability from 2002? FreeBSD vulnerability (top of the list, no less) from 2000? Did I miss something?
Good overview, all things considered. I would like to add to one of his conclusions (from part 1):
This conclusion is correct, but why is this considered a stopping point? Mail admins-- get off your collective butts and add encryption and authentication to your mail servers! The author also forgot to mention that server side certificates are not necessary for SMTP, SMTP+AUTH addresses this quite nicely.Note that such measures are not necessary for most users. Home users that use their ISP's mail server don't have to implement any of this, since the ISP can already account for the user. Let us not forget that "most users" do not have the e-mail needs that many Slashdot readers do. For those needing roaming access and multiple addresses, use IMAPS and SMTP+SSL+AUTH.
Just to reiterate, I am not against anonymous e-mail. True, I do not consider it as vital as you do. This is a philisophocal disagreement, fair enough. But I do run a mail server, with many clients and a great many e-mail accounts I am responsible for. My clients have expressed an interest in keeping their inboxes as free of junk as possible, and I hope to oblige them.
This is my choice, and I have outlined this to my clients. They are aware of the multiple RBLs I use. They are aware I have the server set to reject any incoming mail from non-existant domains. They are aware that I will continue to explore and implement further techniques to help what we feel is a very real problem.
Forging e-mail headers to bypass methods that I use and that I propose is illegal-- under current fraud laws. I certainly do not think sending anonymous e-mail should be illegal. If someone wants to set up an anonymous remailer system, that is fine with me. If I notice abuse, however I wish to define it, I will block incoming mail from that system. No laws are necessary, only technology.
I am not delusional, I do not think any of what I propose will eliminate spam! Someone will still be able to get an AOL account, and send out a couple hundred stock market pump-n-dump spams. Nothing can premptively stop that (AOL will cancel that account, of course). But right now, shady marketers in the U.S. are paying criminal gangs in the former USSR to send out millions of messages-- via hijacked home computers on cable modems. All anonymously. To use your drug war analogy, it's not the drug use/abuse I have a problem with. It's the carjacking and murder I have a problem with.
I propose that Pobox allow you to SMTP to their server on a port other than 25 (465 or 587). That quite nicely takes care of the problem, and is an easy change in your mail client settings.
Your argumentative methods are, creative? Where to start...
Admit what? That anonymous e-mail has serious issues? I never said I wanted to eliminate anonymous e-mail. I have suggested technical changes to the status quo. I have "admited" that this will make anonymous messaging more difficult. My friend, the world is not a binary place. It's not a choice of either 100% e-mail freedom versus draconian Nazi oversight. While it makes your argument easier to look at it that way, as you get older you will realize that often compromise is necessary for progress. I have suggested a compromise, that I believe will make e-mail more useful for everyone-- even you. That's right, besides less spam and virus infections in your inbox, your e-mails will be more likely to be read.
Yes. If you connect to my SMTP server, I want to know what computer was responsible. I will do everything I can to block any message originating from systems that mask, obscure, forge, or otherwise make it more difficult to track down abuse. So will AOL, and other large ISPs that are tired of dealing with the rampant abuse that comes with the status quo. If you run your own mail server, you are free to allow whatever you want. God bless America.
I was not suggesting that the only way you could send mystery messages to your father was through Slashdot. I quite clearly identified that suggestion as an example (hint- I used the word "example").
See above. I did not propose eliminating anonymous e-mail. I proposed technical changes that will make certain types of behavior more difficult.
Once again, I offer no such trade. No embarrassment at all-- where did you get that? You are making things up, nowhere did I suggest embarrassment on my part. However, I will admit I am embarrassed when I set e-mail up for the first time for a friend or relative, and a few days later their inbox is filled with penis enlargement salves and breast enlargment pills (or the other way around).
Again, I offered no such binary option. You might want to look up the word "deplorable". It is one of those big words that is overused, mostly by people running for office.
Not painful at all. I did not consider my only options for addressing your concerns to be:
As I noted above, my suggestions do not consider anonymity at all. Smarter minds than ours will find a way to deal with such things, as long as there are people who want it. I am proposing technical changes that will reduce the amount of abuse of the e-mail system in everyone's inbox. Current estimates peg that at 60%-- six out of every ten e-mails are spam (that does not include virus breakouts). I consider that a problem and I propose a solution. You are twisting any argument that threatens your ease of anonymity-- something you have taken for granted. With all due respect, you are not making a positive contribution to the discussion. Perhaps you should step aside-- or even better, volunteer to administer a large e-mail system. Offer to pay for the additional hard drives and
When the SoBig virus hit, I was innundated with messages that originated from workstations at Booz Allen (as well as other companies, they are just an example). Over 60 unique IP addresses, all from the Falls Church (Virginia) office (same class C). Their IT department had a firewall in place, but it allowed all of those workstations to spew to remote SMTP servers at will. Even after they realized they had a massive problem, they still did not block egress port 25 traffic. That was irresponsible. A simple move on their part would have not only slowed down the spread of the virus, but saved them from a great deal of embarassment. It's that simple.
Wide open SMTP is a problem. If we don't address it now, it will continue to get worse. Yes, we need to throw the baby (existing forwarding services, anonymous remailers, "send this page to a friend" scripts) with the bathwater (viruses, spam, 419 fraud, etc.). It's not that tough to deal with the necessary changes.
- SMTP+AUTH+SSL for initial mail submission on ports other than 25
- SPF::Sender
- SRS for forwarding
- scripts that don't allow spoofing
- ISPs blocking (by default) egress port 25
That's the solution.People have been using the limitations of SMTP for many things, some are quite innocent (forwarding, creating "send this page to a friend" scripts on web sites, etc.), and some are quite abusive (spam, viruses, 419 fraud, etc.). To a certain degree, it is time to throw the baby out with the bathwater. There is quite a bit of spam that has been produced by abusing web sites that allow "send this page to a friend", where you type in your e-mail address that appears as the "From:". While it is a nifty idea, it is just too easy to abuse, and thus it has been abused. It should have never been possible in the first place-- that was a flaw in SMTP.
Forwarding is another thing. It looks like you use pobox.com for forwarding-- they are the folks that invented SPF, and they have come up with a way to deal with forwarding that SPF does not break. I think their point is valid-- "SPF does not break forwarding, forwarding breaks SPF".
OK, I'll bite. What allows spam to linger as a problem are the limitations of SMTP. I think we need to eliminate those shortcomings, in particular the ease of assuming whatever identity one wishes when mail is sent, and the ability to use almost any server to handle the mail transport for you. Some people have been utilizing those shortcomings for non-abusive purposes. Many more have been abusing those shortcomings for spam and fraud.
When cars were first invented, you did not have to get a licence-- either for your car or to allow you to drive. The earliest cars didn't even have keys, anyone could crank it up and drive. Times changed, and some of the freedoms enjoyed by early automobile pioneers dissapeared.
For the most part, yes-- I want to eliminate this type of anonymous email (using any random SMTP server that you may or may not be authorized to use). There are many other ways to send messages anonymously, for example posting as an AC on Slashdot (your method of choice, which is fine with me). However, blocking port 25 does not necessarily have to do with anonymity, it has to do with correcting a problem with SMTP. I am not as concerned with being able to track the sender of a message, as much as I am concerned with tracking the source (as in computer) of the message. Any source that has an unusualy high amount of abuse (spam, viruses) needs to have its operator informed. Random Windows machines on cable modems infected with [insert virus of the week here] do not have an operator, and should not be permitted to connect to SMTP servers for the purposes of abuse. ISPs can help by blocking egress port 25.
How does that follow? You have jumped from total e-mail traffic to total population-- that is a massive (incorrect) logical leap. I think you are missing the point entirely. The statement "The U.S. produces 60% of all spam" cannot be considered by itself. There are too many other factors to consider before reaching ANY conclusions.
I think the answer we are all looking for is how to put a dent in spam. This single number, by itself, does not give us any answers-- indeed it does not even point us in the right direction. We need the following raw numbers:
- Total email messages sent
- Total messages sent that are considered spam
- Total sources of email (unique SMTP servers)
- Total sources of spam (unique SMTP servers)
- Total hijacked SMTP servers
- Total hijacked Windows workstations
- Breakdown, by country, of above
- Breakdown, by country, of original sources of spam (acting as a client to one of the above SMTP servers)
- Breakdown, by country, of spamvertised web sites
And probably a few more numbers. That will allow some real numbers that mean something.I think it is time that ISPs block, by default, all outbound port 25 traffic. Customers can either:
- Use the ISPs mail server (this accomodates 90% right away)
- Use a VPN or SMTP+AUTH(+SSL) on an alternate port to connect to their SMTP server of choice (this accomodates another 9%)
- For the remaining few that just have to run their own SMTP server, let them have a static IP and open up the ports
Of course, some consumer ISPs won't be willing to deal with the headaches of option #3, or perhaps might charge a bit more for it, which is entirely fair. Businesses need to block all egress port 25 period, there is rarely a legitamate need for an employee to run their own SMTP server (unless they work in the IT department, but then they can probably open the port up themselves).I run my own SMTP server, too. I have a static IP address, and if there are any problems (e.g. spam), they know exactly where to find me. So does anyone else, they can do a standard reverse lookup on my IP address. I have nothing to hide.
If you can run an SMTP server on a static IP address, with correct reverse DNS entries (so I can find out who you are with a simple 'dig -x'), there should be no problem with your ISP letting you do whatever you want to. Plus, the mail you send to other systems won't "smell" like spam.
Surely you realize that you are in the minority-- most ISP's users (I assume you were referring to a server you run at home, or off a DSL or cable modem) do not run their own SMTP server. Correction-- they do not intend to. Many end up running one after they are infected with a trojan of some sort. To the outside world, what is the difference between you (I will assume you know what you're doing), and a trojan infected Windows XP home computer? Both look like 23-54-120-4.dynamic.isp.net when I look up the IP address. For an ISP to cut off port 25 after discovering the abuse is several million spam too late.
Follow the cash. How does spam work? It works by getting someone to give the spammer money. Go after the money. Unfortunately, the CAN-SPAM act makes this more difficult, since individuals cannot go after the spammers, only ISPs.
Here's what we need to have in law:
SMTP has been extended to allow authentication and verification of senders. Combined with some simple firewall rules on the part of ISPs and businesses, we could have this spam problem under control. Here's what we need:
Once in place (and these are just not that tough, so no whining), the economics of spamming start to change. Spammers will find it harder to set up shop. The use of hijacked Windows workstations is eliminated through egress port 25 blocking and blacklists. Spammer friendly ISPs are blacklisted, so that no longer works. Inboxes throughout the world rejoice. The Russian mob surrenders. The world plunges into a thousand years of peace, prosperity, and happiness.
Old article, from 1982, but quite revealing (I think there was a posting on this to Slashdot a few years back).
The diamond trade is not only a carefuly controlled monopoly, but the whole idea of diamonds being "rare" and "valuable" is a carefuly crafted (over almost 100 years) con on (mainly) Americans.
This may illustrate one of the halmarks of open source software-- that software open to prying eyes is inherently more secure than closed source. I won't be surprised if digging through the source reveals a number of exploitable security flaws, perhaps many more than have been revealed with the source closed!
To paraphrase Bruce Schneier, if I give you the plans to my safe, and 100 identical safes with the combinations so you can study the locking mechanism in detail, and you still can't crack my safe-- that's security!
you have got your underpants on your head mate
I do not wear, not have I ever worn, underpants on my head. You are incorrect on that point.
Recipients do not, generally, have a SMTP server
Actualy, they do. I guess technicaly it's not theirs, but it is one they have been given access to (by their ISP, or by their business or other organization that runs a SMTP server). That's what should be receiving mail for them, and that's where the problem is if residential users infected with [fill in this week's virus] connect to. That's why so many SMTP servers block as many DHCP IPs as they know about. I do.
When you send email you will need to be able to access port 25 on a remote machine
Not if the admin of the remote SMTP server you wish to use as your MTA knows what they're doing. Part of the problem is that initial mail submission and mail transport both use port 25. I have configured my server to allow initial mail submission on an alternate port (465), and have SMTP+AUTH+SSL running on that port. My users connect via SSL and must use a password to send mail. They can do this from any ISP, even AOL.
I certainly don't wish to deny information. Mail servers on consumer level accounts simply cause too many problems. For every properly functioning mail server behind a dialup/cable modem/residential DSL, there are 100s, if not 1000s of improperly configured servers, with almost no accountability. I am referring primarily to infected Windows machines, that like it or not, act like a mail server. Then there are the casual hobbyists that test Exchange wide open because they don't know any better, or the home user that installs WinGate and becomes an unwitting haven for spammers.
If you want to run a mail server, at least get a static IP so you can be held accountable for any improper use of the Internet you might engage in (providing a resource for spammers is considered improper).
I'm not sure what you mean by that. For e-mail to be recieved, it eventualy arrives at the recipient's SMTP server on port 25. That is what I advocate blocking-- port 25 traffic from residential accounts. It does not matter if the message floats around the Internet on various ports, what matters is that infected Windows machines cannot directly connect to SMTP servers via port 25.
Actualy, if more ISPs blocked egress port 25 traffic, these types of viruses (that use their own SMTP engine) would not have been an issue in the first place. Leaving port 25 open is a bad idea for ISPs, and a bad idea for businesses that have computers on the internet.
This company does not have a toll free number, and I don't live near them. Nobody answers their phone anyway. I did call them, left a (nice) message, and nobody ever returned my call.
I once complained to "dotregistrar.com" about one of their clients. I used their web form to file the complaint, since they do not have any operational phone numbers. An e-mail address is required, so I used "alec@dotregistrar.mydoman.com" (I have configured my mail server to allow me to create these types of addresses on-the-fly). I never heard back from them, but to date I have recieved over 100 spam to that very same address!
Their AUP does state:
There is no information about data collected as part of a complaint, so I guess I was supposed to assume that. Any other dotregistrar stories? Did I "opt-in"?Use a different port for initial mail submission. In other words, accept mail from the outside world to your users on port 25 (the standard port for MTAs to communicate). Obviously, you are already doing this. For mail from your users to the outside world (or other users, for that matter), use port 587 (submission) or even better, port 465 (smtps) with SSL or TLS for security. Now none of your users have to worry about ISPs blocking egress port 25 traffic (a practice I support, as it fixes many other problems in addition to spam-- such as Windows viruses).
SMTP+SSL+AUTH is better than POP before SMTP, now that most clients support AUTH. The trick is setting it up, see these tips for more advice:
http://www.sendmail.org/~ca/email/auth.html
http://www.sendmail.org/~ca/email/starttls.html
http://www.sendmail.org/compiling.html
(obviously, these tips are for Sendmail, but other MTAs can be similarly configured).