Re: Update on mail bombing threats--not so funny
There is no use to attempt to find legal fixes for massive spam and other flooding attacks. The spam sources will simply move out of U.S. and will start loading international circuits with their crap. I.e. the legal cure will only make spam even more annoying, but won't stop anybody. Why won't we concentrate on doing technical solutions? Fortunately, it is relatively easy to get rid of the flooding attacks by reducing their effectiveness to nothing. The solution is source address filtering at edges, to relieve attackers from the benefit of forged source addresses, and reverse lookup authentication in MTAs -- just do not accept any mail coming from an invalid source address, or source address not corresponding to what is in Sender, Reply-To or From field. That will arguably break some setups (for example, when outgoing mail leaves hosts directly, but return mail comes thru a centralized server); but that can be fixed. That scheme is obviously not bullet-proof, but neither are locks on the doors. They do deter crime, though. BTW, the e-mail sender address authentication would also do wonders for non-flooding variety of spammers -- getting tons of angry mail from the targets of the spam does have some effect. Also, it gives ISPs ability to identify abusers, and create a black list of people not to have any business with, and a legitimate reason to refuse service to them. There's a historical precedent in doing source address authentication which initially broke service for a lot of peple, but ultimately made Internet a saner place -- the FTP archive at UUNET at some time started requiring that reverse DNS lookups should provide correct names. Oops -- nobody with broken reverse zones could access it. Now, the question is how to make people to actually implement it. I guess the big providers should consider it in their best interest -- or they'll eventually get politicians and lawyers on their heads. --vadim
Vadim Antonov wrote:
One possible solution is just to have recourse after the fact. If you as an ISP have their credit card/phone billing, and have a policy that explicitly states that either: 1) you will charge $100/hr to cleanup revenge email that they were responsible for directly. 2) you will charge them $.25/message for every mail message over 1000 sent outgoing (this doesn't handle using another sites mail server). 3) you charge for bandwidth or something like that making sure you set the limits such that normal dialup users won't see any charges. Even despite the inevitable chargebacks, many spammers would decide that fighting with the credit card company isn't worth it. There are a lot of ISPs spending a large amount of time/$ tracking down this sort of thing and in the end it isn't very productive. I see a general lack of policy for dealing with spam almost everywhere. allan
On Thu, 9 Jan 1997, Allan Chong wrote:
Even despite the inevitable chargebacks, many spammers would decide that fighting with the credit card company isn't worth it.
Uh, you have this backwards. If you read most credit card merchant agreements, online services have no recourse, without a physical signature from the customer, against chargebacks for online service. This is because they are treated as phone orders where the presumption is in the customers favor. Mike. +------------------- H U R R I C A N E - E L E C T R I C -------------------+ | Mike Leber Direct Internet Connections Voice 408 282 1540 | | Hurricane Electric Web Hosting & Co-location Fax 408 971 3340 | | mleber@he.net http://www.he.net | +---------------------------------------------------------------------------+
Mike Leber wrote:
On Thu, 9 Jan 1997, Allan Chong wrote:
Even despite the inevitable chargebacks, many spammers would decide that fighting with the credit card company isn't worth it.
Uh, you have this backwards. If you read most credit card merchant agreements, online services have no recourse, without a physical signature from the customer, against chargebacks for online service. This is because they are treated as phone orders where the presumption is in the customers favor.
By chargeback, I meant to the merchant. But it still was a hassle on a simple chargeback I did. I probably wasted 5 hours writing letters and on the phone to make it stick. The technical reasons Vadim gives are essential, to ensure that everything is as it appears, but what does the ISP do when one of their users does something. Most don't have any clear cut policy. When the spam is coming from the network of a paying business customer, operators often have to start tiptoeing lightly. We're going to see more balkanization of the net as operators have to start deciding between the good ISPs and bad ISPs. allan 3 posts in a day. I must be getting old and grumpy.
Allen, All the legal recourses mean nothing if you cannot enforce them. Let's make the system moer robust, ie make it harder to fake the source of an email message, which provides other incidental benefits as well, Larry Plato Speaking for myself
Vadim Antonov wrote:
One possible solution is just to have recourse after the fact. If you as an ISP have their credit card/phone billing, and have a policy that explicitly states that either:
1) you will charge $100/hr to cleanup revenge email that they were responsible for directly.
2) you will charge them $.25/message for every mail message over 1000 sent outgoing (this doesn't handle using another sites mail server).
3) you charge for bandwidth or something like that making sure you set the limits such that normal dialup users won't see any charges.
Even despite the inevitable chargebacks, many spammers would decide that fighting with the credit card company isn't worth it.
There are a lot of ISPs spending a large amount of time/$ tracking down this sort of thing and in the end it isn't very productive. I see a general lack of policy for dealing with spam almost everywhere.
allan
On Thu, 9 Jan 1997, Vadim Antonov wrote:
Why won't we concentrate on doing technical solutions? [good source authentication proposal deleted]
This would solve the forged email problem excellently. (Assuming you can get past the installed base of over 50(?) million SMTP email addresses, although only a few of those actually have a source domain different from the mail gateway.) However, the spaming problem is another. I see three generations of spammers. The 1st Generation Spammer (Direct)
From address matches sender. Spammer expects to pick up mail at the from address. Cancelling account thwarts spammer. Easy to cover in TOS.
The 2nd Generation Spammer (Indirect Via Internet)
From address is different than sender. For this type of spam promoting web sites, the actual site being promoted is on a different network than spam is sent from. For this type of spam requiring a response, response email address is usually a dropbox or autoresponder service with a "spammer friendly" TOS. Source email account used is disposable. Requires more complex TOS for network hosting actual site to terminate service.
The 3rd Generation Spammer (Indirect Via Non Internet)
From address can be anything. Response is via 900 phone number, 800 phone number taking credit cards, or international number with builtin premium ($20 for the first minute). Alternatively, less sophisticated 3rd generation spammers use fax, regular telephone, or postal mail (only the really dumb ones every use postal mail, because of the amount of law). No Internet resource is used as part of ordering.
I have received a couple of these 3rd generation spams recently. Mail authentication is not going to prevent hit and run 3rd generation spams. An additional feature (hehe) in sendmail that would hinder hit and run operators would be flood suppression on a user by user basis (ibm.net could have used this). For example, a rule such that no user can send more than 1000 messages per day (configurable of course). Mike. +------------------- H U R R I C A N E - E L E C T R I C -------------------+ | Mike Leber Direct Internet Connections Voice 408 282 1540 | | Hurricane Electric Web Hosting & Co-location Fax 408 971 3340 | | mleber@he.net http://www.he.net | +---------------------------------------------------------------------------+
Sorry, but what are you doing with the uninteresting adv. shits in you usial mail-box? I found daily 2 / 3 such papers, and I prefere to brote them into my wasterbacket instead of writing a lot of complains... Sometimes I found something interesting, anyway. Except some cases of the massive SPAM it's better choice. Just now I see unadequate behaviour of some network administrators when 1 (_ONE_) unnessesary message cause 10 / 20 messages (written bu this administrator) complained about this advertisment (you are naming it _spam_). This cause us to much more troubles then simple 'D' (or 'REMOVE') command.
There is no use to attempt to find legal fixes for massive spam and other flooding attacks. The spam sources will simply move out of U.S. and will start loading international circuits with their crap.
I.e. the legal cure will only make spam even more annoying, but won't stop anybody.
Why won't we concentrate on doing technical solutions? Fortunately, it is relatively easy to get rid of the flooding attacks by reducing their effectiveness to nothing.
The solution is source address filtering at edges, to relieve attackers from the benefit of forged source addresses, and reverse lookup authentication in MTAs -- just do not accept any mail coming from an invalid source address, or source address not corresponding to what is in Sender, Reply-To or From field.
That will arguably break some setups (for example, when outgoing mail leaves hosts directly, but return mail comes thru a centralized server); but that can be fixed.
That scheme is obviously not bullet-proof, but neither are locks on the doors. They do deter crime, though.
BTW, the e-mail sender address authentication would also do wonders for non-flooding variety of spammers -- getting tons of angry mail from the targets of the spam does have some effect. Also, it gives ISPs ability to identify abusers, and create a black list of people not to have any business with, and a legitimate reason to refuse service to them.
There's a historical precedent in doing source address authentication which initially broke service for a lot of peple, but ultimately made Internet a saner place -- the FTP archive at UUNET at some time started requiring that reverse DNS lookups should provide correct names. Oops -- nobody with broken reverse zones could access it.
Now, the question is how to make people to actually implement it. I guess the big providers should consider it in their best interest -- or they'll eventually get politicians and lawyers on their heads.
--vadim
--- Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
participants (5)
-
alex@relcom.EU.net -
Allan Chong -
Larry J. Plato -
Mike Leber -
Vadim Antonov