How many of you ISPs are sick of dealing with spam after the fact?? You get complaints from the world after spam from one of your customer's is sent out - via whatever clever way they have to beat the latest incoming spam filters. Your customer doesn't care. It's called spam & run. Disable their account and they spam & run elsewhere. This does nothing to stop spam - only wastes your time. Measures like the BGP filtering and incoming sendmail hacks are hip. But they do not stop spam. The BGP blackholes all IP traffic, not just mail. Disabling mail relay is indeed hard - especially for ISPs where your business _is_ relaying mail. Legal action is worthless - spammers just move or relay off-shore or otherwise out of whatever jurisdiction we want to impose. It's like trying to fight a fire pointing your extinguisher at the dancing flame-tips. Go for the base! The analogy I like best is the "Whack-a-Mole" game at the arcade. You're reflexes aren't fast enough to deal with the spammers. We need the heavy artillery and we need to go for the throat. Whacking even most of the moles doesn't fix your yard. Blocking incoming spam doesn't keep the bandwidth from being wasted. I have two preventative tactics I'd like to see pursued. Given infinite hours in the day, I'd do them myself. The ONLY way to deal with spam once and for all is for responsible ISPs to proactively enforce anti-spam policies. Then we can have whitelists instead of blacklists. 1) filter outgoing mail 2) validate new users through a "spam" bureau Impossible you say? No, impossible is fighting spam from the WRONG side. -Filtering outgoing mail Responsible retail ISPs should deny any and all OUTGOING smtp connections through border routers from hosts that are not validated as spam free. Wholesale ISPs should require their retail ISP customers take these spam free measuers. How... 1) First make your own outgoing mail relays spam free: o limit number of recipients to something reasonable (<10) o validate all headers (no forgery, valid return addrs) o relay only for your hosts and customer hosts (by ip, not domain) o throttle connections from any one internal ip (eg. <2/minute) o allow only simple DNS based addresses (no %![]:) Most of this can be done in sendmail compat(). A specialized tool that fits in like smap would be great for this. 2) Have a different mailing list host - lock it down tightly and make sure that all lists only allow postings from list members and no one message can be sent to multiple lists. 3) Allow outgoing smtp connections from your mail relay(s) through your border routers. 4) Make all your end-user customers relay through your now spam-free outgoing mail relay. 5) Any non-end-user customer that wants to make direct smtp connections out needs to make their relay spam-free as above. Otherwise they have to go through your relay. Have a separate legal contract/AUP to enable direct smtp. Charge more money for this service if you want - it will cost you more in the long run in hassle for these customers. 6) Lock everyone else out - deny outgoing smtp. The main thing that happens by doing this is you are preventing any of your customer from using a third-party relay!! Imagine that. Even if your outgoing mail relay doesn't do any validation or throttling, you are still preventing external third-party relaying AT THE SOURCE. The hardest part of fighting spam from the receiving end is the presumed-innocent-third-party relaying. Requiring end user hosts to relay through a local outgoing mailer is much easier than disabling relaying on every potential third-party host on the network. Sure this is expensive in terms of the outgoing mail relay server(s). But I'll put money down that you are already spending much more in dealing with spam complaints after the fact. This is NOT censorship. This is responsible mail delivery. The message origin is the ONLY place you can do some of this validation. If enough ISPs do this, then we can maintain a proactive list of spam-free ISPs. Forget the blacklists. They'll only get you sued. We need whitelists - ISPs from whom we trust mail is spam-free. All other mail should be stamped as suspect and dealt with on the receiving end accordingly. I challenge UUNET, PSI, and Earthlink to be the first to adopt this method and/or fund the development of outgoing ISP mail relay tools. This doesn't fix the entire problem. Nothing will. But until origins are willing to proactivley enforce their policies, we're just reacting to an ever changing spam profile and we'll never react quite fast or effectively enough. I'll bet the handful of companies who have made public apologies lately wished they had been proactively filtering outgoing mail. -Validate new users through an anti-spam bureau Most spam comes from independent individuals contracted to do marketing. Either that or they've been scammed into some Internet get rich quick scheme. Those people sign up for a new account with an ISP, promise to pay $X/mo, spam, get cut off, and move to another ISP. Most ISPs require no identification whatsoever to sign up a new user. It's no wonder that prosecuting spammers is close to impossible because the ISPs don't even have customers' legal name or a valid phone number or mailing address. I submit that any responsible ISP should not accept any new user account application without: 1) some form of identification to validate name 2) valid phone number (you call it and get that person) 3) valid mailing address (usps.gov is wonderful) For a business customers, contact the secy of state to validate the company exists and get the names of corporate officers. Check their DnB listing. Now what if you also checked the new user's ISP usage history in a central database - just like a bank checks TRW for your credit history? Are you going to accept a new user that was kicked off of 5 of the last 6 ISPs for violation of AUP? I hope not. But until that database exists, you are taking a chance that each new user is a potential spammer. These users are costing you real money. Just like a bad credit risk, an ISP has a right and a responsibility to check a new user's history. The only problem with this approach is how to unambiguously track such information in the database. Being an advocate of privacy, I'm vehemently against using the SSN for such a purpose. Same with driver's license number. Credit card number can change too often. As with databases like TRW, full name (as appears on a driver's license or other form of bonefide identification and should be validated) plus birth day should be sufficient. Aside from these wish list items, the _best_ way to fight incoming spam is a combination of incoming blocking (my personal blacklist is pretty long including all AGIS nets) and accepting only incoming mail (user agent filters) that explicitly lists a recipient in the header that you accept as being you. The more lists and aliases you are on (webmaster, hostmaster, postmaster, ad infinitum) the harder this gets. For most end-users, this is 100% effective. I've done it for me and it effectively blocked _all_ my incoming spam except those which are personalized and have my actual email address (or a valid alias). These folks you add to your sendmail spammer blocking database. The only drawback with this method is that you no longer get bcc mail. I put all my spam mail aside and peruse it once a week to look for real mail that might be a bcc, a low-vol list I forgot I was on, or otherwise was misfiled as spam. Barb Dijker, Manager NeTrack P O BOX 17565, BOULDER CO 80308-0565 USA +1.303.938.0188, fax +1.303.938.0177 http://www.netrack.net