[In the message entitled "RE: Stealth Blocking" on May 24, Roeland Meyer <rmeyer@mhsc.com> writes:]
I'm getting seriously confused here. I thought that the open-relay issue was irelevent to MAPS. That MAPS only black-holed confirmed SPAM sites (a little tougher, but more granular, charter). Further, that it was ORBS that listed open-relay sites specifically, whether they were involved in a spam or not (unacceptable due to punishing potential anti-spammers for proliferating spam that never saw their systems). To me, these are two entirely different charters. If MAPS starts to look like ORBS then I will stop using MAPS.
Can someone please clarify?
Sure. MAPS has four real-time lists. The MAPS RBL(sm) is a list of sites and networks which are known to be friendly, or neutral to spam. They include sites which harbour known spam origin points, multi-hop open relays which refuse to close (and have transmitted spam), spamware sites, and other persistant spam sources. Hosts and networks can use this list via DNS (rejecting mail, and other traffic as they see fit), or BGP (usually blackholing all traffic bound for those sites). It's very hard to get a site listed. It's quite easy to get off the RBL, assuming that the issue that caused the listing has been corrected. The MAPS RSS(sm) is a list of open relays *which have been abused*. These are sites which have been reported to MAPS as open relays, and have spam samples. Once the spam has been verified, a test is performed to verify that the site is, indeed, an open relay. If a sample message is accepted, and then returned by the site as a relay, the host is listed. Removal from the RSS requires that the host no longer relays. Automated probes are never done - a human must request the test, and spam must be available. Because of the very large number of hosts listed (around 100,000 as I write this), it's generally used in DNS mode only. It's pretty easy to get a host which is an open relay that has transmitted spam onto the list. Between 100 and 1,500 hosts per day are added, and hundreds per day are taken off (as soon as they let MAPS know that the relay has been closed). The MAPS DUL(sm) is a list of dialup ports. These are dialups which have been reported to MAPS by the ISP running them, or by users which have received spam from the dialup. An investigator verifies that the address range does contain dialup ports before they are listed. Hosts and networks typically use this list in DNS mode to reject direct-from-dialup spam. It's time-consuming to get an address listed, and also time-consuming to get an address removed from this list. The MAPS RBL+(sm) is a combined list, which allows a single lookup to search all lists. It's possible to use this in BGP mode, but it's unlikely that anyone would want to do so. So, does MAPS look like ORBS? ORBS probes systems no matter if spam has emitted or not. Does this catch more open relays? You bet. Is it network abuse to scan for open relays? I think so. Do spammers use the same techniques? You bet. MAPS probes systems only after they have been abused by spammers. Does this allow spammers to use the relays for at least one spam run? You bet. Is it network abuse to confirm an open relay that has transmitted spam? I don't think so. Do spammers use the same techniques? I don't think so. ORBS probes systems periodically after they are listed to see if they have been closed. Does this ensure that relays are removed after they are secured? Sort of. But this requires that the hosts listed be probed frequently, and still doesn't ensure that they are removed "as soon as they are secured". MAPS depends on the system administrator contacting MAPS to get a host de-listed. Does this ensure that they are removed once they are secured? Sort of. It does require that the admin be willing to contact MAPS. So, does MAPS look like ORBS? You decide. I'm certain that all of the network owners on this list want spam to stop. MAPS is one tool that can help. ORBS is another. Where you draw the line, or how you protect your networks is your choice. One thing that I think *will* help, particularly in the short term, is port 25 blocking of dialup ports. It's my personal opinion that this will have the greatest impact on spammers who abuse open relays. I've watched this happen over the last few months, as various large networks have secured their dialup ports. It's impressive. --
Returning to operational traffic:
One thing that I think *will* help, particularly in the short term, is port 25 blocking of dialup ports. It's my personal opinion that this will have the greatest impact on spammers who abuse open relays. I've watched this happen over the last few months, as various large networks have secured their dialup ports. It's impressive.
TCP rate-limiting on outbound traffic to *:25 would also be extremely effective, particularly on unclassified customer traffic, and without the heavy-handed nature of denying all dial-up traffic. Rate-limiting doesn't interfere with low-volume legitimate mail, but it really cramps spam. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Thu, 24 May 2001 09:46:19 PDT, "Eric A. Hall" said:
TCP rate-limiting on outbound traffic to *:25 would also be extremely effective, particularly on unclassified customer traffic, and without the heavy-handed nature of denying all dial-up traffic. Rate-limiting doesn't interfere with low-volume legitimate mail, but it really cramps spam.
I've seen a number of opinions that it doesn't do squat to cramp spam. Remember that the spammer is handing the "open" relay one piece of mail with zillions of RCPT TO:s - rate limiting the outbound just means that the zillions of recipients sit in *your* queue that much longer. Also, I have heard from multiple sources that the spammers are well clued enough to utilize multiple relays in parallel - if you rate limit to 1/N of bandwidth, they just use N relays at the same time. The problem is that you shoot YOURSELF in the foot by DOS'ing yourself by the time you get N cranked high enough to do any serious damage to the spammer.... -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Remember that the spammer is handing the "open" relay one piece of mail with zillions of RCPT TO:s - rate limiting the outbound just means that the zillions of recipients sit in *your* queue that much longer.
I will add "further punishes/diminishes the harm of open relays" to the "pro" column. ;)
I have heard from multiple sources that the spammers are well clued enough to utilize multiple relays in parallel - if you rate limit to 1/N of bandwidth, they just use N relays at the same time.
If the rate limit is applied to *:25, then the *MORE* relays the spammer uses, the longer it takes for him to do it. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Thu, May 24, 2001 at 09:46:19AM -0700, Eric A. Hall wrote:
TCP rate-limiting on outbound traffic to *:25 would also be extremely effective, particularly on unclassified customer traffic, and without the heavy-handed nature of denying all dial-up traffic. Rate-limiting doesn't interfere with low-volume legitimate mail, but it really cramps spam.
It interferes heavily with transmission of large files via email, though, and this *IS* a valid use of service.
Shawn McMahon wrote:
TCP rate-limiting on outbound traffic to *:25 would also be extremely effective, particularly on unclassified customer traffic, and without the heavy-handed nature of denying all dial-up traffic. Rate-limiting doesn't interfere with low-volume legitimate mail, but it really cramps spam.
It interferes heavily with transmission of large files via email, though, and this *IS* a valid use of service.
The transmission of large files is not a valid use of email. -- Tired of Earthlink? Get JustTheNet! Nationwide Dialup, ISDN, DSL, ATM, Frame Relay, T-1, T-3, and more. EARTHLINK AMNESTY PROGRAM: Buy a year, get two months free More info coming soon to http://JustThe.net, or e-mail me! B!ff: K3wl, w3'v3 r00t3D da N@vy... 0h CrAp, INC0M!Ng $%^NO CARRIER
On Thu, May 24, 2001 at 05:50:39PM -0400, Steve Sobol wrote:
The transmission of large files is not a valid use of email.
So you say. Feel free to configure your network that way. Meanwhile, millions of people will continue to disagree with you daily.
Returning to operational traffic:
One thing that I think *will* help, particularly in the short term, is port 25 blocking of dialup ports. It's my personal opinion that this will have the greatest impact on spammers who abuse open relays. I've watched this happen over the last few months, as various large networks have secured their dialup ports. It's impressive.
TCP rate-limiting on outbound traffic to *:25 would also be extremely effective, particularly on unclassified customer traffic, and without the heavy-handed nature of denying all dial-up traffic. Rate-limiting doesn't interfere with low-volume legitimate mail, but it really cramps spam.
I'm partial to intercepting, rather than blocking, port 25 outbound traffic from dialups and redirecting it to a mail relay. This way, you can easily see which of your users are sending spam, because you force it all to go through your own mail relay, even when the dialup user tried to connect directly to MX hosts. Roaming users would not need to change their MUA configuration to use a different outgoing relay. It also gives you the opportunity to expunge the queue of spam as soon as it is noticed, sparing other admins the pain of dealing with it, and saving yourself some embarassment and pain dealing with the complaints.
-- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Thu, 24 May 2001, Dave Rand wrote:
The MAPS RSS(sm) is a list of open relays *which have been abused*. These are sites which have been reported to MAPS as open relays, and have spam samples. Once the spam has been verified, a test is performed to verify that the site is, indeed, an open relay. If a sample message is accepted, and then returned by the site as a relay, the host is listed. Removal from the RSS requires that the host no longer relays. Automated probes are never done - a human must request the test, and spam must be available. Because of the very large number of hosts listed (around 100,000 as I write this), it's generally used in DNS mode only. It's pretty easy to get a host which is an open relay that has transmitted spam onto the list. Between 100 and 1,500 hosts per day are added, and hundreds per day are taken off (as soon as they let MAPS know that the relay has been closed).
Very interesting statistics. It gives you a clear picture of the magnitude of the squeeze. Now I understand why such heavy hammer was needed at the helm full-time. Supposing that 100,000 server owners plus those forcibly 're-educated' get together and do something about it, like scream, or jump of a 12 inch stool, or donate $10 each, would they be able to shake Dave off his high horse? How about if they also rally their users that were suddenly cut off? The collateral damage in blocking 100,000 hosts is simply unacceptable. Especially because there are only a few hundred die-hard professional spammers that need to be rooted out, and the problem diminishes, or at least becomes manageable in another way. As an ISP, I have yet to see a list of black sheep compiled consisting of individuals, spam companies, or credit cards used to defraud that should not be subscribed. Banks share such information, why can't ISPs? No matter how noble the cause, the methods are wrong. In all the debate, it was perhaps lost that no viable technological solution to roaming, meaning one that is happily accepted by the end user, exists yet. And please don't mention SMTP Auth, it's not perfected yet. --Mitch NetSide
On Thu, 24 May 2001, Mitch Halmu wrote:
No matter how noble the cause, the methods are wrong. In all the debate, it was perhaps lost that no viable technological solution to roaming, meaning one that is happily accepted by the end user, exists yet. And please don't mention SMTP Auth, it's not perfected yet.
pop-before-smtp happily accepted by hundreds of thousands of roaming clients. -Dan
-----BEGIN PGP SIGNED MESSAGE----- On Thu, 24 May 2001, Mitch Halmu wrote: [...]
No matter how noble the cause, the methods are wrong. In all the debate, it was perhaps lost that no viable technological solution to roaming, meaning one that is happily accepted by the end user, exists yet. And please don't mention SMTP Auth, it's not perfected yet.
http://spam.abuse.net/spam/tools/smPbS.html POP3 before SMTP. Works for any MUA that supports POP3, and the only impact to the user experience is that the user needs to check her mail before she sends mail (which most do anyway). Now, please try this, close your relay, and cease this off-topic whining to this list. Matt - -- Matthew S. Cramer <mscramer@armstrong.com> Office: 717-396-5032 Lead Security Analyst Fax: 717-396-5590 Armstrong Information Technology Services Pager: 717-305-3915 Armstrong World Industries, Inc. Cell: 717-917-7099 -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: ascii iQEVAwUBOw1naQdAU78fakRxAQFaAggAgvHi5DP0wdttaukucznllio5wwT0aSUA OcN6kh68xnp4Uq7Cuogcs0HnBtVD4HHpsiOKRMpbOS9aH2tp30iyvsaFzoJhZXFR WuMEPJNPSjMSAYTE6DatYWrJgTzvn4i+RTTFwsW/wi2/XrJJ/4Hs36Gaeg4ZoA// VIPMSdp1qzgGpofWYEOfSfzMiXsEAA9AsHxriLOUW7OS8JLTU9iaI3n7SbHyDIIE Gxo3pyvFY2gVj2bz0OHv0aVpM2MS1Fg4C40RJ3ckD7yMojnoubmt8YsOtBjuVulO MW6eIJ0GhjX8k6cBvUBYCs5XxNhd6jLAsQyIZTcgCVg4Augn1eLBZg== =ARnz -----END PGP SIGNATURE-----
On Thu, 24 May 2001, Matt Cramer wrote:
http://spam.abuse.net/spam/tools/smPbS.html
POP3 before SMTP. Works for any MUA that supports POP3, and the only impact to the user experience is that the user needs to check her mail before she sends mail (which most do anyway).
Now, please try this, close your relay, and cease this off-topic whining to this list.
I will give you a solid reason why we won't try this, quoting research with POP-before-SMTP conducted by the founder of MAPS TSI, Chip Rosenthal http://users.laserlink.net/~chip/relay-pres-9910/ You don't have to believe me that our clients will not accept that, take his words instead: "Our users hated it - particularly those using MS Outlook" No need to describe what happens when your clients hate your service... --Mitch NetSide
On Thu, 24 May 2001, Mitch Halmu wrote:
I will give you a solid reason why we won't try this, quoting research with POP-before-SMTP conducted by the founder of MAPS TSI, Chip Rosenthal http://users.laserlink.net/~chip/relay-pres-9910/ You don't have to believe me that our clients will not accept that, take his words instead: "Our users hated it - particularly those using MS Outlook" No need to describe what happens when your clients hate your service...
Of course this page is, ah, just a little old... presumably outlook express is a little better now. Of course he also states laserlink *DOES* use pop-before-smtp, so... -Dan
On Thu, May 24, 2001 at 05:47:41PM -0400, Mitch Halmu wrote:
No need to describe what happens when your clients hate your service...
Well, I guess you're going to have to decide which they're going to hate more; inconvenience with one POS email client that's going to get them hacked anyway, or not being able to send email to hundreds of domains.
On Thu, 24 May 2001, Mitch Halmu wrote:
I will give you a solid reason why we won't try this, quoting research with POP-before-SMTP conducted by the founder of MAPS TSI, Chip Rosenthal http://users.laserlink.net/~chip/relay-pres-9910/
You don't have to believe me that our clients will not accept that, take his words instead:
"Our users hated it - particularly those using MS Outlook"
No need to describe what happens when your clients hate your service...
Pop before SMTP has come a long way since 1999, and newer outlook does SMTP auth. If you support both, Pop before SMTP for clients who cannot do SMTP Auth, then you shouldn't have users hating it. Jason -- Jason Slagle - CCNP - CCDP Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172 /"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . If dreams are like movies then memories X - NO HTML/RTF in e-mail . are films about ghosts.. / \ - NO Word docs in e-mail . - Adam Duritz - Counting Crows
At 08:57 PM 5/24/01, Jason Slagle wrote:
On Thu, 24 May 2001, Mitch Halmu wrote:
I will give you a solid reason why we won't try this, quoting research with POP-before-SMTP conducted by the founder of MAPS TSI, Chip Rosenthal http://users.laserlink.net/~chip/relay-pres-9910/
You don't have to believe me that our clients will not accept that, take his words instead:
"Our users hated it - particularly those using MS Outlook"
No need to describe what happens when your clients hate your service...
Pop before SMTP has come a long way since 1999, and newer outlook does SMTP auth. If you support both, Pop before SMTP for clients who cannot do SMTP Auth, then you shouldn't have users hating it.
My clients use SMTP AUTH, or (if they either have an old mail client, or don't have AUTH configured) use smtp-after-POP. Both work well. The SMTP AUTH implementation in sendmail 8.11.x works flawlessly, as does the TLS implementation, which we also support and use. Outlook and Outlook Express support SMTP AUTH with no problems whatsoever. Their TLS implementation has some issues. Eudora 5.1 has the cleanest implementation of TLS and SMTP AUTH I've seen anywhere. They've done a great job with the implementation. Same goes for Qpopper 4.0, which is easy to work with, and supports TLS well. We do email hosting, but provide no access services. All of our users connect to our mail servers remotely. We've never run an open relay, and our customers have full access to use our SMTP and POP services. It really is possible to do all of this, be successful and have happy customers. ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
Mitch Halmu was said to been seen saying:
I will give you a solid reason why we won't try this, quoting research with POP-before-SMTP conducted by the founder of MAPS TSI, Chip Rosenthal http://users.laserlink.net/~chip/relay-pres-9910/
You don't have to believe me that our clients will not accept that, take his words instead:
"Our users hated it - particularly those using MS Outlook"
No need to describe what happens when your clients hate your service...
From past experience MS Outlook in and of itself is the worst MUA to use for Internet mail to begin with as the whole idea of internet mail was an afterthought, doesn't follow half the MIME standards and for sake of not finding a more "high tech" way to say it... It just plan sucks, get a real MUA. Jeremy T. Bouse -- ,-----------------------------------------------------------------------------, |Jeremy T. Bouse, CCNA - UnderGrid Network Services, LLC - www.UnderGrid.net | | Public PGP/GPG fingerprint and location in headers of message | | If received unsigned (without requesting as such) DO NOT trust it! | | jbouse@Debian.org - NIC Whois: JB5713 - Jeremy.Bouse@UnderGrid.net | `-----------------------------------------------------------------------------'
On Thu, 24 May 2001, Mitch Halmu wrote:
The collateral damage in blocking 100,000 hosts is simply unacceptable. Especially because there are only a few hundred die-hard professional spammers that need to be rooted out, and the problem diminishes, or at least becomes manageable in another way. As an ISP, I have yet to see a list of black sheep compiled consisting of individuals, spam companies, or credit cards used to defraud that should not be subscribed. Banks share such information, why can't ISPs?
Assuming that 25% of the IP space is assigned, and 1% of IP space assigned is a mail server, that is still blocking only 1% of mail servers. I know more then 10 million mail servers exist. Along those lines, let me get this straight. You support someone compiling a list of spammers that you won't sell to, but you oppose someone compiling a list of people that I choose not to accept mail from. That is quite interesting, and somewhat hypocritical.
No matter how noble the cause, the methods are wrong. In all the debate, it was perhaps lost that no viable technological solution to roaming, meaning one that is happily accepted by the end user, exists yet. And please don't mention SMTP Auth, it's not perfected yet.
We tell users that if they roam they need to use the mail server of the place they are roaming to. As a matter of fact, we are in the process of setting up a set of rules to divert all port 25 bound traffic on our dialups to local mail servers. If everyone diverted all local traffic to a local mail server, the problem of open relays would go away. Jason -- Jason Slagle - CCNP - CCDP Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172 /"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . If dreams are like movies then memories X - NO HTML/RTF in e-mail . are films about ghosts.. / \ - NO Word docs in e-mail . - Adam Duritz - Counting Crows
On Thu, 24 May 2001, Jason Slagle wrote:
Along those lines, let me get this straight. You support someone compiling a list of spammers that you won't sell to, but you oppose someone compiling a list of people that I choose not to accept mail from. That is quite interesting, and somewhat hypocritical.
Not at all. "People" is the key. The list in question is of servers used by innocent people. The bad people are someone else's clients. I don't feel that it's hypocritical to refuse service to an individual that just cheated a fellow ISP, just like a bank will not issue an unsecured loan or credit card to someone that cheated another bank. The problem is, ISPs will not cooperate willingly to identify their repeat offenders. Whatever legalities are involved could be sorted out in the same fashion as credit reporting agencies are set up. Hey, if MAPS is willing to change their business model by becoming an agency that reports on the individual or company that author spam, instead of squeezing providers for a deed performed by someone else's client, I would be the first one to support the initiative. --Mitch NetSide
participants (12)
-
Dan Hollis -
Daniel Senie -
dlr@bungi.com -
Eric A. Hall -
Jason Slagle -
Jeremy T. Bouse -
Matt Cramer -
Mike Batchelor -
Mitch Halmu -
Shawn McMahon -
Steve Sobol -
Valdis.Kletnieks@vt.edu