Vixie writes:
since we're talking about laziness, let's look at two ways in which we (nanog "members" and others like us around the world) have been lazy, for decades, and have therefore helped to create the current miserable "abuse" situation.
Paul, let me add one more to your list: As a community, we have been too lazy to take hold of the architectural source of the problem, which is the complete lack of accountability over the ability to post email. This is not a technical issue (although I can hear echos from the long past x.400 community already), it's simply a service definition issue. As a community, we've designed an end-to-end mail protocol(SMTP) and opened it up to everyone. The reality is that the vast majority of end-user customers connected to the Internet have one or two email servers, and there is no reason to allow client connections to port 25 for posting. If ISP's simply filtered port 25 by default except from specified servers, there wouldn't be a huge base of client systems to tap into for robo-farms for spamming. Of course, this breaks the end-to-end model of the Internet... Too bad. End-to-end makes sense in some contexts, and it doesn't in others. This is the latter case. In reality, lots of folks have plenty of good reasons to want open access to port 25 from their entire prefix. That's also fine, *as long as you accept responsibility for what is sent*. Want both wide open access and complete deniability? That's the option we presently have, and frankly, it doesn't scale. /John
On Tue, 13 Apr 2004, John Curran wrote:
Vixie writes:
since we're talking about laziness, let's look at two ways in which we (nanog "members" and others like us around the world) have been lazy, for decades, and have therefore helped to create the current miserable "abuse" situation.
The reality is that the vast majority of end-user customers connected to the Internet have one or two email servers, and there is no reason to allow client connections to port 25 for posting. If ISP's simply filtered port 25 by default except from specified servers, there wouldn't be a huge base of client systems to tap into for robo-farms for spamming.
Hi John, I dont think this is a fair assessment of the SMTP 'abuse' problem.. its a lot more complicated, blocking port 25 will not reduce the volume of spam at all. Most of the spam I'm seeing comes directly from end user hosts that have either an open proxy on them or some kind of malware with its own SMTP engine designed to send out junk.. in this model the only port 25 traffic is that from the end host coming outwards, I believe you're suggestion is to filter port 25 towards hosts. Even blocking the outbound 25 traffic (eg pushing it via the ISP SMTP relay) will not stop the emails. It is possible to extend this and implement some sort of statistical sanity checking on the mail being relayed (eg alarm/deny mail once it exceeds X/minute/host) which is potentially a workable solution.. I'd be interested if theres any patches to the major MTAs to do something with this (we use exim) as it could be an interesting test. Of course this model throws up new problems you need to address such as roaming users not being able to smtp via their 'home' ISP via auth'd SMTP, making sure you dont filter ISP-ISP port 25 traffic etc Steve
At 8:39 PM +0100 4/13/04, Stephen J. Wilcox wrote:
Most of the spam I'm seeing comes directly from end user hosts that have either an open proxy on them or some kind of malware with its own SMTP engine designed to send out junk.. in this model the only port 25 traffic is that from the end host coming outwards, I believe you're suggestion is to filter port 25 towards hosts.
Even blocking the outbound 25 traffic (eg pushing it via the ISP SMTP relay) will not stop the emails. It is possible to extend this and implement some sort of statistical sanity checking on the mail being relayed (eg alarm/deny mail once it exceeds X/minute/host) which is potentially a workable solution.
Steve, I'm very much suggesting blocking outward to the Internet port 25 traffic, except from configured mail relays for that end-user site. Those hosts which have MSTP malware are stopped cold as a result. /John
On Tue, 13 Apr 2004, John Curran wrote:
I'm very much suggesting blocking outward to the Internet port 25 traffic, except from configured mail relays for that end-user site. Those hosts which have MSTP malware are stopped cold as a result.
NNTP is set up almost everywhere with configured server to server connections, and essentially all "open" NNTP user access has been closed down over the years. How is the spam problem on USENET these days?
"Sean" == Sean Donelan <sean@donelan.com> writes:
Sean> NNTP is set up almost everywhere with configured server to Sean> server connections, and essentially all "open" NNTP user access Sean> has been closed down over the years. Sean> How is the spam problem on USENET these days? It's not nearly as bad as it was at its peak, but it's still very much present. -- Andrew, Supernews http://www.supernews.com
On 13-apr-04, at 22:32, Sean Donelan wrote:
I'm very much suggesting blocking outward to the Internet port 25 traffic, except from configured mail relays for that end-user site. Those hosts which have MSTP malware are stopped cold as a result.
NNTP is set up almost everywhere with configured server to server connections, and essentially all "open" NNTP user access has been closed down over the years.
How is the spam problem on USENET these days?
I've been on Usenet again for a while last year and there was surprisingly little spam compared to some years back. Apparently some people have taken it upon themselves to remove all the spam that pops up. NTTP is at an advantage over SMTP here because "personalizing" messages for each recipient isn't possible here. Talking about lazy: blocking port 25 is very lazy, in several ways: intelectually, morally and just plain way. It's intellectually lazy because there are other ways to arrive at the same result that don't arbitrarily block communications between two consenting hosts. Morally it's lazy to assume that just because you don't need something, others won't either. And of course having all those access networks install filters rather than work on the problem yourself is just plain lazy. If we all agree that we don't want to talk SMTP to broadband consumers, it shouldn't be too hard to come up with a registry that lists IP addresses used by broadband consumers. Or maybe it's easier to work the other way around and list the servers we actually may want to talk to. This approach has two main advantages over filtering port 25: 1. People can still talk to unlisted SMTP hosts if they feel they have a good reason to do so (ie, I get to deliver messages directly to my server from home rather than being forced to use my service provider's which may or may not work) 2. Checking is done per SMTP session rather than per IP packet The good news is that the IETF is now starting work on this, so expect results in two or three years.
At 11:15 PM +0200 4/13/04, Iljitsch van Beijnum wrote: This approach has two main advantages over filtering port 25:
1. People can still talk to unlisted SMTP hosts if they feel they have a good reason to do so (ie, I get >to deliver messages directly to my server from home rather than being forced to use my service >provider's which may or may not work)
You're right... Rather than simply having you tell your provider that you're responsible and having port 25 outward opened up, the freedom for anyone to send to port 25 on an ad-hoc basis like we have today is a better idea. Today's spam isn't a problem; everything's working as designed.
The good news is that the IETF is now starting work on this, so expect results in two or three years.
Great idea: here's a case where we need less connectivity and better operational practices, but rather than take that task on, we should do more protocol work. The reality is that the vast majority of email is handed off to a designated mail relay (whether we're talking about consumer connections or office environments), and if we actually configured connectivity in this matter, there wouldn't be a problem. /John
The reality is that the vast majority of email is handed off to a designated mail relay (whether we're talking about consumer connections or office environments), and if we actually configured connectivity in this matter, there wouldn't be a problem.
our innate fear of this stems from suspicion of centralization and the telco switch model. this fear is not clearly unjustified. maybe we can get reasonable security without a police state? randy
When evaluating spam solutions, the first thing I ask is, "Does this empower users?" If the answer is no, it's probably the wrong solution. -- Chris Palmer Staff Technologist, Electronic Frontier Foundation 415 436 9333 x124 (desk), 415 305 5842 (cell)
At 5:38 PM -0700 4/13/04, Chris Palmer wrote:
When evaluating spam solutions, the first thing I ask is, "Does this empower users?" If the answer is no, it's probably the wrong solution.
That's definitely the right idea to start with... The question is, do you change approach after a decade without progress? /John
chris@eff.org (Chris Palmer) writes:
When evaluating spam solutions, the first thing I ask is, "Does this empower users?" If the answer is no, it's probably the wrong solution.
right now the spammers are holding the users hostage: "if you want to be able to read mail from people/hosts you've not been formally introduced to, then you have to swallow our swill also." that's somewhat the opposite of empowerment. if a "spam solution" can take away that crisis and the expense is that my dsl-connected end host has to tunnel its e-mail to someplace out in <www.vix.com/personalcolo> then that's a tradeoff i can live with. -- Paul Vixie
Paul Vixie wrote:
that's somewhat the opposite of empowerment. if a "spam solution" can take away that crisis and the expense is that my dsl-connected end host has to tunnel its e-mail to someplace out in <www.vix.com/personalcolo> then that's a tradeoff i can live with.
You, sure, how about the people who are not really computer literate and use SMTP AUTH to send their mail from various places? Remember that convinience almost always outweighs security with the general population. If it wouldn´t, the ICT market would not look like it looks today. Obviously the other issue is, which has been raised several times, that many provider SMTP services are not really performing up to the expectations of almost instantaneous email delivery. Delays up to days are not too uncommon occurrences. Pete
Chris Palmer wrote:
When evaluating spam solutions, the first thing I ask is, "Does this empower users?" If the answer is no, it's probably the wrong solution.
Spammers are users too. You can't spell "abuser" without "user." You are inherently trying to diminish the power of the abuser users. No spam mitigation solution can ever answer, "yes," to that question without the qualification that at least some users, the abusers, will be disempowered. The equation will always come to balancing how hard you hit the spammers versus minimizing the collateral damage. Or it's another classic example of security versus usability. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387
Spammers are users too. You can't spell "abuser" without "user." You are inherently trying to diminish the power of the abuser users. No spam mitigation solution can ever answer, "yes," to that question without the qualification that at least some users, the abusers, will be disempowered. The equation will always come to balancing how hard you hit the spammers versus minimizing the collateral damage. Or it's another classic example of security versus usability.
But speaking of usability, email becomes IMMEDIATELY unusable if there is a technological "anti-spam" measure in place, be it something client-side like spamassassin or another RFC implemented server-side, that prevents even a single wanted email from getting to you. Especially if you are, for example, sitting at home on the phone with another person saying "Email me that file, again" and it's not going anywhere. At that point, email is 100% dead. Rob Nelson ronelson@vt.edu Rob Nelson ronelson@vt.edu
On Wed, 14 Apr 2004, Randy Bush wrote:
The reality is that the vast majority of email is handed off to a designated mail relay (whether we're talking about consumer connections or office environments), and if we actually configured connectivity in this matter, there wouldn't be a problem.
our innate fear of this stems from suspicion of centralization and the telco switch model. this fear is not clearly unjustified.
There are also plenty of legitimate reasons to permit earthlink/juno/mindspring dialup users to hit mail relays on their own domains. For instance, when on travel how does John Curran access his istaff.org email? (presuming no 'ssh to my shell server and use pine/elm/mh/mailx)
maybe we can get reasonable security without a police state?
What will the jack-booted-thugs do then? :)
On Wed, 14 Apr 2004, Randy Bush wrote:
maybe we can get reasonable security without a police state? What will the jack-booted-thugs do then? :)
tell us how to close down other parts of the net so they can control and profit from them
Ah-ha! too bad that mean old IAB says we can't filter traffic :) (or advises against it, or thinks it's a bad idea...) In all seriousness, the consumer dial/broadband folks had to take actions like port/25 filtering (inbound and outbound actually) to address spam issues with these systems. This is unfortunate for those folks out there that 'need' smtp access to something other than the blessed email servers of their dial/broadband provider(s). Making a more sensible solution for email than the current SMTP, or finding a middle ground that works for dial/broadband users would sure be nice. Any 'port 25' filtering is really just a short term solution until all spambots use locally configured SMTP settings to bypass the filtering :( (atleast that seems to be the case with the spamwar in general, a constantly escalating war of technologies) Perhaps finding a way to make spam non-profitable, or to put enough of the high-end spammers in jail? this seems like a daunting task I must admit :( -Chris
"Christopher L. Morrow" <christopher.morrow@mci.com> writes:
On Wed, 14 Apr 2004, Randy Bush wrote:
The reality is that the vast majority of email is handed off to a designated mail relay (whether we're talking about consumer connections or office environments), and if we actually configured connectivity in this matter, there wouldn't be a problem.
our innate fear of this stems from suspicion of centralization and the telco switch model. this fear is not clearly unjustified.
There are also plenty of legitimate reasons to permit earthlink/juno/mindspring dialup users to hit mail relays on their own domains. For instance, when on travel how does John Curran access his istaff.org email? (presuming no 'ssh to my shell server and use pine/elm/mh/mailx)
Authenticated-only SMTP on port 587 (or alternately 773 if you like being different) as per rfc2476 works great here, and we have several users who dial up from AOL when travelling. AOL translucently proxies outbound port 25 stuff in such a way that either smtp-auth or starttls (forget which, maybe both?) gets broken. Fixing mail clients to try port 587 *first* in the absence of configuration that specifically named a port would remove some of the support overhead for organizations that have to deal with Joe & Jane Luddite as end-users. Are you listening, Microsoft, Qualcomm, Apple? ---Rob
Are there any other Service Providers who have been allocated blocks out of the 83/8 network that are experiencing connectivity issues? We have been allocated 83.146.0.0/18 and customers on this network have difficulty getting to sites like www.mercer.com, hk.yahoo.com etc..etc.. I'm just interested if it is a general BOGON filter issue still or whether this is more specific to our network. Cheers Simon Brilus Bulldog Communications Ltd.
On 14-apr-04, at 14:58, Simon Brilus wrote:
Are there any other Service Providers who have been allocated blocks out of the 83/8 network that are experiencing connectivity issues? We have been allocated 83.146.0.0/18 and customers on this network have difficulty getting to sites like www.mercer.com, hk.yahoo.com etc..etc..
I'm seeing the same thing: works from 80.*, doesn't work from 83.*. Note that www.mercer.com seems to suffer from a bad case of paranoia, they filter traceroute and ping, so probably a misconfigured firewall there. hk.yahoo.com traceroutes just fine from a 212.* address: 13 sl-gw10-hk-15-3.sprintlink.net (203.222.38.54) [AS 1239] 292 msec 292 msec 292 msec 14 sla-yahoo2-1-0.sprintlink.net (203.222.39.74) [AS 1239] 292 msec 292 msec 292 msec 15 alteon1.hkg.yahoo.com (202.1.233.118) [AS 18293] 296 msec 292 msec 292 msec but hits a wall after the last sprintlink hop when coming from 83.*, so it's probably the router in that case: 13 sl-bb20-hk-3-0.sprintlink.net (144.232.20.28) 293.716 ms 293.990 ms 294.028 ms 14 sl-gw10-hk-15-3.sprintlink.net (203.222.38.54) 292.629 ms 292.934 ms 292.710 ms 15 * * *
I'm seeing the same thing: works from 80.*, doesn't work from 83.*. Note that www.mercer.com seems to suffer from a bad case of paranoia, they filter traceroute and ping, so probably a misconfigured firewall there. hk.yahoo.com traceroutes just fine from a 212.* address:
TCP port 80 can also be used to traceroute... hping is your friend. http://www.hping.org (or apt-get install hping2 on apt-friendly distributions) Rubens
Simon, We see many advertisements out of 83/8 at our various observation points, but never 83.146.0.0/18. bgp.lcs.mit.edu provides various perspectives. For example, at MIT: Nothing from your prefix: http://bgp.lcs.mit.edu/bgpview.cgi?time=between&start=2004-1-1&end=2004-4-15&bins=10&prefix=83.146.0.0%2F18&rel=lte&aspath=&asrel=contain&origin_as=&scale=linear&table=mit__main_ron_lcs_mit_edu_updates&action=list&View=View but plenty from 83/8: http://bgp.lcs.mit.edu/bgpview.cgi?time=between&start=2004-4-14&end=2004-4-15&bins=10&prefix=83.0.0.0%2F8&rel=lte&aspath=&asrel=contain&origin_as=&scale=linear&table=mit__main_ron_lcs_mit_edu_updates&action=list&View=View cheers, -Nick On Wed, Apr 14, 2004 at 01:58:20PM +0100, Simon Brilus wrote:
Are there any other Service Providers who have been allocated blocks out of the 83/8 network that are experiencing connectivity issues? We have been allocated 83.146.0.0/18 and customers on this network have difficulty getting to sites like www.mercer.com, hk.yahoo.com etc..etc..
I'm just interested if it is a general BOGON filter issue still or whether this is more specific to our network.
Cheers
Simon Brilus Bulldog Communications Ltd.
In message <p06020407bca227be1be3@[192.168.1.101]>, John Curran writes:
The reality is that the vast majority of email is handed off to a designated mail relay (whether we're talking about consumer connections or office environments), and if we actually configured connectivity in this matter, there wouldn't be a problem.
John, the problem is deciding who is an *authorized* email sender. For example, I own a machine in a random rack -- can it send email? The way I operate, it sometimes needs to -- I often set up tunnels to it from my laptop and from other machines in "banned" address ranges, and let it send my email. For that matter, it hosts several IETF and personal mailing lists. Now assume that someone in some strange and wondrous part of the world has a similar need. Are they authorized? According to whom? There have been a lot of authentication-based and filter-based schemes proposed, but I've yet to see a scheme that solves the authorization problem satisfactorily. Not everyone wants to (or is able to) entrust their email to a a Tier 1 ISP; if nothing else, the Tier 1s would charge for the privilege. --Steve Bellovin, http://www.research.att.com/~smb
At 8:36 PM -0400 4/13/04, Steven M. Bellovin wrote:
Now assume that someone in some strange and wondrous part of the world has a similar need. Are they authorized? According to whom?
Steve, you're authorized if you say you are and agree to accept responsibility. Most corporations would readily provide the addresses of their mail servers; anyone on DSL or cable connection could do the same. But by changing the default behavior to block port 25 until requested, you could readily address the spam problem. It would take some work on the part of operator community (hence the subject), and doesn't fit in the world wide commune perspective of networking, but it would make the Internet far more useful for everyone. /John
In message <p06020409bca2403fda31@[192.168.1.101]>, John Curran writes:
At 8:36 PM -0400 4/13/04, Steven M. Bellovin wrote:
Now assume that someone in some strange and wondrous part of the world has a similar need. Are they authorized? According to whom?
Steve, you're authorized if you say you are and agree to accept responsibility . Most corporations would readily provide the addresses of their mail servers; anyone on DSL or cable connection could do the same. But by changing the default behavior to block port 25 until requested, you could readily address t he spam problem. It would take some work on the part of operator community (hence the subject), and doesn't fit in the world wide commune perspective of networking, but it would make the Internet far more useful for everyone.
The spammers are already creating throw-away domains; they'd do the same with mail sender authorizations. "I am Spam, Spam I am" -- and send their turds and run. --Steve Bellovin, http://www.research.att.com/~smb
At 11:11 PM -0400 4/13/04, Steven M. Bellovin wrote:
The spammers are already creating throw-away domains; they'd do the same with mail sender authorizations. "I am Spam, Spam I am" -- and send their turds and run.
Steve, this is not an authorization problem. I know that is how you like to characterize it. Yes, any spam house will simply say, please open the door, and have it done. I don't claim to attempt to validate the customer intent, and this doesn't address that portion of the problem. The problem is one of the default network behavior. Giving every PC default access to every mail server, combined with the state of individual machine security, results in situation where spammers can harvest farms of open machines which can originate email. If we can fix this by changing default behavior to make such machines less useful to hackers, while still allowing anyone who wants to originate to do so at will via configuration, what is the harm? To date, the most vocal objections have come from architectural purists and manufacturers of disk storage. /John
Steve, you're authorized if you say you are and agree to accept responsibility. Most corporations would readily provide the addresses of their mail servers; anyone on DSL or cable connection could do the same. But by changing the default behavior to block port 25 until requested, you could readily address the spam problem. It would take some work on the part of operator community (hence the subject), and doesn't fit in the world wide commune perspective of networking, but it would make the Internet far more useful for everyone.
(I realize I'm a few days late on this, been travelling all week) What about that small business with a remote site on a cable modem? All they want is their local server to talk to the one upstream, and they'd rather pay, say, Time Warner $50 a month on a dynamic instead of $200 for a single static IP. Can't really blame them, can you? Is this authorization-filter-scheme going to account for servers on dynamic IP? Rob Nelson ronelson@vt.edu
Not everyone wants to (or is able to) entrust their email to a a Tier 1 ISP; if nothing else, the Tier 1s would charge for the privilege.
A tier 1 provider in the SMTP mesh does not have to be the same thing as a tier 1 provider in the physical mesh. See the structure of the NNTP mesh over the years for examples. I fully expect to see specialized email peering providers arise who will have SMTP peering arrangements with the large email site like AOL, Yahoo, Hotmail etc. and who then arrange peering with large numbers of smaller sites who either cannot find SMTP peering locally or who want to be assured of alternate SMTP routes in the event their main peer cannot reach all destinations. Michael Dillon
On Wed, Apr 14, 2004, Michael.Dillon@radianz.com wrote:
Not everyone wants to (or is able to) entrust their email to a a Tier 1 ISP; if nothing else, the Tier 1s would charge for the privilege.
A tier 1 provider in the SMTP mesh does not have to be the same thing as a tier 1 provider in the physical mesh. See the structure of the NNTP mesh over the years for examples. I fully expect to see specialized email peering providers arise who will have SMTP peering arrangements with the large email site like AOL, Yahoo, Hotmail etc. and who then arrange peering with large numbers of smaller sites who either cannot find SMTP peering locally or who want to be assured of alternate SMTP routes in the event their main peer cannot reach all destinations.
.. and then I pay my upstream for the privilege of them sending my mail along for me? All of that equipment so a bunch of universities can feed their upstream a whole chunk of email reliably isn't exactly going to be cheap. These specialised email providers are going to have to have _some_ form of transit to handle 'just email', increasing the cost. I wonder how many backbone providers want to run their own email gateways for all email passing through their network and have to provide some form of guaranteed service to their customers. I wonder how this is going to affect SMTP mail handling as it stands - for example, how many 'hops' will there be between this university's mail gateway and, say, MIT's mail gateway(s)? Will people start playing header rewrite tricks so MTAs around the world don't bomb out with "exceeded hop count" ? "Just one hop!" games, a la IP routing in the final stages of last century, may rear its ugly head again. I don't believe comparing this to NNTP is entirely valid - you don't have the overhead of multiple crazy NNTP server implementations causing you the utmost of pain; you don't have to worry about handling bounces and temporary DNS failures along each path; article routing (whether you chose push or pull) was much, much simpler. Adrian -- Adrian Chadd I'm only a fanboy if <adrian@creative.net.au> I emailed Wesley Crusher.
Adrian Chadd wrote:
I wonder how this is going to affect SMTP mail handling as it stands - for example, how many 'hops' will there be between this university's mail gateway and, say, MIT's mail gateway(s)? Will people start playing header rewrite tricks so MTAs around the world don't bomb out with "exceeded hop count" ? "Just one hop!" games, a la IP routing in the final stages of last century, may rear its ugly head again.
Could the MTA´s run something similar to MPLS so they could reduce the hop count and "funnel" the email though instead of storing and forwarding it hop by hop? Maybe some users would then be willing to pay more for the extra complexity and it would also skyrocket job security. Pete
On 14-apr-04, at 11:50, Petri Helenius wrote:
I wonder how this is going to affect SMTP mail handling as it stands - for example, how many 'hops' will there be between this university's mail gateway and, say, MIT's mail gateway(s)? Will people start playing header rewrite tricks so MTAs around the world don't bomb out with "exceeded hop count" ? "Just one hop!" games, a la IP routing in the final stages of last century, may rear its ugly head again.
Could the MTA´s run something similar to MPLS so they could reduce the hop count and "funnel" the email though instead of storing and forwarding it hop by hop? Maybe some users would then be willing to pay more for the extra complexity and it would also skyrocket job security.
How would multi-hop routing work for ~100M domains, anyway? Requiring a hop in the middle could be useful in order to create a choke point where rate limiting can be done, but doing multihop makes little sense. The authorization information implied in the routing can just as easily be learned from the sender, if protected through cryptographic means. (Yes, #include <pki.h> but that's the part where we show that we aren't so lazy after all.)
On Wed, 14 Apr 2004 Michael.Dillon@radianz.com wrote: : > Not everyone wants to (or is able to) entrust : > their email to a a Tier 1 ISP; if nothing else, the Tier 1s would : > charge for the privilege. : : A tier 1 provider in the SMTP mesh does not have to : be the same thing as a tier 1 provider in the : physical mesh. ...!i!feel!a!dose!of!queasy!nostalgia!coming!on!here -- -- Todd Vierling <tv@duh.org> <tv@pobox.com>
On 14-apr-04, at 1:56, John Curran wrote:
This approach has two main advantages over filtering port 25:
1. People can still talk to unlisted SMTP hosts if they feel they have a good reason to do so (ie, I get >to deliver messages directly to my server from home rather than being forced to use my service
provider's which may or may not work)
You're right... Rather than simply having you tell your provider that you're responsible and having port 25 outward opened up, the freedom for anyone to send to port 25 on an ad-hoc basis like we have today is a better idea. Today's spam isn't a problem; everything's working as designed.
I understand your frustration, but the approach of blocking port 25 isn't the right one. It may be convenient for you, but there are plenty of people who have good reasons for using other SMTP servers than their access provider's ones. And do you think people who are unable to run a good mail service will be able to selectively open up filters in a sane way? Filtering can also have a serious performance impact on some equipment. And of course this approach isn't going to work anyway: many access providers can't even be bothered to implement anti-spoofing filters, so there is no way that ALL consumer access providers are going to do this within a reasonable time frame.
The good news is that the IETF is now starting work on this, so expect results in two or three years.
Great idea: here's a case where we need less connectivity and better operational practices, but rather than take that task on, we should do more protocol work.
The idea is that new records in the DNS show which hosts are allowed to deliver mail for a domain. This means spammers must use a domain they control. That's a good start, as it makes white- and blacklisting a lot easier. However, this isn't enough. A next step would be to require that a host that is delivering mail must be flagged as a designated outgoing SMTP host for the reversed mapping domain name of its IP address. (Which obviously isn't going to happen for Joe Cable or Jane ADSL.) (There is still an issue with IPv6 though, as here everyone, including consumers, usually runs their own reverse DNS servers.)
The reality is that the vast majority of email is handed off to a designated mail relay (whether we're talking about consumer connections or office environments), and if we actually configured connectivity in this matter, there wouldn't be a problem.
I don't think cutting off one of the monster's heads will do it (there was spam in the good old days when Windows didn't do IP without installing Trumpet Winsock or something similar). There are other ways to get rid of almost all spam, but apparently for most people the pain isn't bad enough to start using them yet. (I installed Spamassasin over the weekend, and it caught 50 of 53 overnight spam messages. My client caught the remaining 3, no false positives.)
"Iljitsch" == Iljitsch van Beijnum <iljitsch@muada.com> writes:
Iljitsch> I understand your frustration, but the approach of blocking Iljitsch> port 25 isn't the right one. As a generalization this is inevitably false - there are networks where blocking port 25 is absolutely the right approach, and networks where it is not. Iljitsch> It may be convenient for you, but there are plenty of Iljitsch> people who have good reasons for using other SMTP servers Iljitsch> than their access provider's ones. For these people there is port 587. Using port 25 for smarthosting needs to die (arguably it is already dead, it just hasn't stopped moving yet). Port 25 is for sending mail to the recipient's MX host. Port 587 is for sending mail to the sender's smarthost. The policy requirements and abuse characteristics of the two types of services are sufficiently different that trying to treat them as the same, even though they happen to be using the same underlying protocol, is just going to cause pain. -- Andrew, Supernews http://www.supernews.com
On 14 Apr 2004, at 04:00, Andrew - Supernews wrote:
Iljitsch> It may be convenient for you, but there are plenty of Iljitsch> people who have good reasons for using other SMTP servers Iljitsch> than their access provider's ones.
For these people there is port 587.
For some of these people there is also (apparently!) MAPI over HTTPS. Joe
At 12:33 AM 4/14/2004, Iljitsch van Beijnum wrote:
I understand your frustration, but the approach of blocking port 25 isn't the right one. It may be convenient for you, but ...
Dood, this *exact* argument was made ~10 years ago against closing open relays. So, do you think that everyone should just open their servers to relaying for anyone, since closing all the open relays has proven to be inconvenient for some, and not a 100% effective solution? jc -- p.s. Please do not cc me on replies to the list. Please reply to the list only, or to me only (as you prefer) but not to both.
On 14-apr-04, at 17:45, JC Dill wrote:
I understand your frustration, but the approach of blocking port 25 isn't the right one. It may be convenient for you, but ...
Dood, this *exact* argument was made ~10 years ago against closing open relays. So, do you think that everyone should just open their servers to relaying for anyone, since closing all the open relays has proven to be inconvenient for some, and not a 100% effective solution?
Hm... "If you go faster than 30 km/h in a train the air will be sucked out and everyone inside will suffocate" vs "if you fly through the stratosphere in an airplane without a closed cabin the air will be sucked out and everyone inside will suffocate". So just because the former turned out incorrect the latter is as well? Now one could view a typical Windows box behind a broadband connection to be functionally equivalent to an open relay, in which case "closing the relay" would make sense, as open relays allow malicious third parties to unload their garbage upon the net with little recourse. However, filtering TCP port 25 is bad not just because it is massively inconvenient for many people (ever work in support?) but also because this is fixing an application layer problem at the transport layer, which is bad both architecturally and performance wise. (And yes, all those CPU or ASIC cycles inspecting every single packet, including the 99% that aren't email in the first place, cost real power that causes real CO2 to be released into the atmosphere, etc...) If despite this, filtering port 25 would actually have a decent chance of helping us get rid of spam, maybe, just maybe we should consider it. But as I've said before: spam was there when Windows was too stupid to even be vulnerable to anything coming in from the net, and the likeliness of global cooperation within a reasonable timeframe is close to zero anyway.
p.s. Please do not cc me on replies to the list. Please reply to the list only, or to me only (as you prefer) but not to both.
Maybe the list should add a reply-to? Or am I starting another flamewar here?
Iljitsch van Beijnum wrote:
p.s. Please do not cc me on replies to the list. Please reply to the list only, or to me only (as you prefer) but not to both.
Maybe the list should add a reply-to? Or am I starting another flamewar here?
No, it goes with the subject, lazy people run systems which don´t check if they got the same message twice. Might even reduce spam :-) Pete
flamewar here?
No, it goes with the subject, lazy people run systems which don´t check if they got the same message twice.
I like the reply-to-all.. when the list is busy its easier to spot replies to my post if i'm choosing to ignore new threads.. :) Steve
At 10:47 AM 4/14/2004, Iljitsch van Beijnum wrote:
On 14-apr-04, at 17:45, JC Dill wrote:
I understand your frustration, but the approach of blocking port 25 isn't the right one. It may be convenient for you, but ...
Dood, this *exact* argument was made ~10 years ago against closing open relays. So, do you think that everyone should just open their servers to relaying for anyone, since closing all the open relays has proven to be inconvenient for some, and not a 100% effective solution?
Hm... "If you go faster than 30 km/h in a train the air will be sucked out and everyone inside will suffocate" vs "if you fly through the stratosphere in an airplane without a closed cabin the air will be sucked out and everyone inside will suffocate". So just because the former turned out incorrect the latter is as well?
That's a bad analogy, therefore your comparison is worthless. Closing port 25 is *very* similar to closing your server to relaying. It is a way to ensure that only authorized users send email from your network.
However, filtering TCP port 25 is bad not just because it is massively inconvenient for many people (ever work in support?)
Simply put, I do not agree with your assertion here. Most people are not inconvenienced by this change. In reality, very *few* people are inconvenienced. And those people have alternate solutions. I have helped many people configure one of these solutions when they have encountered port 25 blocking. Recently, I helped a friend who was suddenly "no longer able to send work email from her laptop at home" because their home DSL connection thru her husband's employer had implemented port 25 filtering. The solution was to create a profile on her laptop that used the DSL provider's server, and for her to select that profile when sending email from home. An even simpler solution would have been to use port 587, if her own work server had offered this option (unfortunately, it doesn't). Many ISPs have successfully implemented port 25 filtering. The support costs associated with implementing this change are small in the long run, especially when compared to the reduced abuse support costs you will realize when you are no longer empowering your users to abuse port 25 on other servers. This is the same story as when you closed your open relays, and briefly had increased support costs, which were offset by the reduced abuse support costs since you no longer were subject to being used as a relay or getting complaints about the spam your servers were spewing. It's been ten years now: <http://slashdot.org/articles/04/03/05/160229.shtml> We need to stop whining that it's "hard" or "expensive" do to the right thing and close loopholes that are abused by spammers. It's much harder and more expensive long term to NOT do the right thing. jc -- p.s. Please do not cc me on replies to the list. Please reply to the list only, or to me only (as you prefer) but not to both.
On 14-apr-04, at 21:16, JC Dill wrote:
However, filtering TCP port 25 is bad not just because it is massively inconvenient for many people (ever work in support?)
Simply put, I do not agree with your assertion here.
And you conveniently left out all the more important ones again. I guess you must be right then.
We need to stop whining that it's "hard" or "expensive" do to the right thing and close loopholes that are abused by spammers. It's much harder and more expensive long term to NOT do the right thing.
Ok, speaking as someone who operates networks right now (I only run a mail server for one user: myself): if you application types can't make your protocols and implementations do what you want: tough. That's your problem. I'm not about to change the network to accommodate you. There are (potentially) 255 other protocols in IP and 65535 other ports in TCP, what if they all want special handling? Forget it. But feel free to come back and complain again when the percentage of network traffic for your protocol reaches double digits.
JD> Date: Wed, 14 Apr 2004 12:16:46 -0700 JD> From: JC Dill JD> We need to stop whining that it's "hard" or "expensive" do to JD> the right thing and close loopholes that are abused by JD> spammers. It's much harder Aand more expensive long term to JD> NOT do the right thing. Leave it for future generations. It works in politics. (Detection of sarcasm is left as an exercise for the reader.) Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net Sending mail to spambait addresses is a great way to get blocked.
On (13/04/04 15:52), John Curran wrote:
I'm very much suggesting blocking outward to the Internet port 25 traffic, except from configured mail relays for that end-user site. Those hosts which have MSTP malware are stopped cold as a result.
so the malware writers start using port 80 through open proxies...they do already. or they go after the im client ports more. there are ways to send mail if 25 is blocked to me /joshua -- When in danger, or in doubt, run in circles, scream and shout. - unknown -
At 10:13 PM -0400 4/13/04, joshua sahala wrote:
so the malware writers start using port 80 through open proxies...they do already. or they go after the im client ports more. there are ways to send mail if 25 is blocked to me
Yep, there's no doubt we'd have to deal with the next round of creative approaches. I'd still wager we'd see a major decrease in spam as a result of some simple configuration. /John
so the malware writers start using port 80 through open proxies...they do already. or they go after the im client ports more. there are ways to send mail if 25 is blocked to me
But if the email architecture has been changed to only allow known users to inject email into it, then other service architectures will have that as an example to follow. The fact that a particular solution will not lead directly to world peace is not sufficient reason for discarding that solution. Michael Dillon
Paul, let me add one more to your list: As a community, we have been too lazy to take hold of the architectural source of the problem, which is the complete lack of accountability over the ability to post email.
Hear, hear.
Of course, this breaks the end-to-end model of the Internet... Too bad. End-to-end makes sense in some contexts, and it doesn't in others. This is the latter case.
John, I don't believe that it is necessary to break the end-to-end model of the Internet in order to implement accountability for posting email. Rather than filtering port 25 at the user ISP, every ISP who operates an SMTP server could simply get off their butt and stop accepting connections from anyone that they don't know. In the case of a user ISP, they know all their own customers. And they should know a significant number of their email peers. If people can make arrangments for NNTP peering or BGP peering rather than opening it to all comers, why can't we do the same for SMTP? Pure laziness and lack of vision, IMHO. Michael Dillon
On Wed, 14 Apr 2004 Michael.Dillon@radianz.com wrote:
Paul, let me add one more to your list: As a community, we have been too lazy to take hold of the architectural source of the problem, which is the complete lack of accountability over the ability to post email.
Hear, hear.
Of course, this breaks the end-to-end model of the Internet... Too bad. End-to-end makes sense in some contexts, and it doesn't in others. This is the latter case.
John, I don't believe that it is necessary to break the end-to-end model of the Internet in order to implement accountability for posting email. Rather than filtering port 25 at the user ISP, every ISP who operates an SMTP server could simply get off their butt and stop accepting connections from anyone that they don't know. In the case of a user ISP, they know all their own customers. And they should know a significant number of their email peers. If people can make arrangments for NNTP peering or BGP peering rather than opening it to all comers, why can't we do the same for SMTP? Pure laziness and lack of vision, IMHO.
A lack of desire to further commercialize something we all pay for already? after smtp peering comes smtp de-peering, settlement based smtp exchange and smtp transit, etc.
Michael Dillon
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
there are two replies here. -------- jcurran@istaff.org (John Curran) writes:
Paul, let me add one more to your list: As a community, we have been too lazy to take hold of the architectural source of the problem, which is the complete lack of accountability over the ability to post email.
while i agree, i want to make sure it's for the right reason. in a high growth area like internet services, it's hard enough to double in size as often as your competitors do (assuming enough business for all) even without architectural changes. for example, if ipv6 becomes the dominant transport it will be during a lull in the boom/bust cycle, not during boom times and certainly not during bust times. a number of people have tried to solve the "first mile accountability" problem (that term was first coined by mike o'dell before 1998, btw) but most members of the community saw their best bang:buck elsewhere than buying into these solutions. so they weren't lazy about new architectures, but they were disorganized and distracted. they were lazy, but not about new architectures. they were lazy about technology planning, and the ietf as a coopetition medium completely failed to scale to the size of the community, and so members of the community have been lazy about re-designing the ietf (or something like it) into something that can accomplish coopetitive technology planning at the current scale/size of the market/community. so, yes, lazy, but about what, do we agree?
If ISP's simply filtered port 25 by default except from specified servers, there wouldn't be a huge base of client systems to tap into for robo-farms for spamming.
absolutely true. see <http://sa.vix.com/~vixie/mailfrom.txt>, or see yahoo "domainkeys", or see the IETF MARID WG, or see SPF. as you can see we have many ways to solve this problem but no critical mass, present or likely.
Of course, this breaks the end-to-end model of the Internet... Too bad. End-to-end makes sense in some contexts, and it doesn't in others. This is the latter case.
preventing DDoS and IP source address forgery each also break what the IAB calls "the end-to-end model". i guess that means it's time to update the model, since the community isn't going to let go of its firewalls or NAT gateways any time soon. (dunno if you heard, but in spite of 128 bits of address space, the enterprise user community is now asking for IPv6 NAT.) -------- pete@he.iki.fi (Petri Helenius) writes:
You, sure, how about the people who are not really computer literate and use SMTP AUTH to send their mail from various places?
yes, i'm very sure. as soon as their outbound mail stops working, they'll find alternatives. given that folks seem to be able to find hotmail and yahoo and other free e-mail providers as alteratives to their cable/dsl providers, i consider it inevitable that SMTP AUTH vendors will find a way to market and compete in this field. all we need is...
Obviously the other issue is, which has been raised several times, that many provider SMTP services are not really performing up to the expectations of almost instantaneous email delivery. Delays up to days are not too uncommon occurrences.
...for things to keep getting worse, to encourage innovative & independence. -- Paul Vixie
On 15-apr-04, at 2:45, Paul Vixie wrote:
preventing DDoS and IP source address forgery each also break what the IAB calls "the end-to-end model".
How so?
(dunno if you heard, but in spite of 128 bits of address space, the enterprise user community is now asking for IPv6 NAT.)
I hadn't, pointer please?
participants (25)
-
Adrian Chadd
-
Andrew - Supernews
-
Chris Palmer
-
Christopher L. Morrow
-
Crist Clark
-
E.B. Dreger
-
Iljitsch van Beijnum
-
JC Dill
-
Joe Abley
-
Joel Jaeggli
-
John Curran
-
joshua sahala
-
Michael.Dillon@radianz.com
-
Nick Feamster
-
Paul Vixie
-
Petri Helenius
-
Randy Bush
-
Rob Nelson
-
Robert E. Seastrom
-
Rubens Kuhl Jr.
-
Sean Donelan
-
Simon Brilus
-
Stephen J. Wilcox
-
Steven M. Bellovin
-
Todd Vierling