How do you stop outgoing spam?
Please try to keep this discussion technical and not diverge to opinions. I am not looking for opinions or religion. I am trying to find automated tools/systems/boxes that will stop spam from going *out* from an ISP. The ISP has no servers and allocates IP address space to downstream customers who spam. Yes, I know all about ACLs to block offending IPs. The ISP is willing to buy any box or system to stop outgoing spams and thereby stop constantly playing with ACLs. The spamming is usually done (but not only) from an Internet cafe where the spammer inserts a "spammer CD" and blasts away at open mail relays. When SMTP is blocked for that IP, they switch to HTTP and send the spam via MSN, Yahoo, Hotmail, Kukamail, Outblaze, Safe-mail, etc. to name just a few. Blocking port 80 is harder since it requires maintaining an ever larger list of free public web based mail systems or just block port 80 entirely. Technical solutions welcome. Thanks, Hank
On Mon, 9 Sep 2002, Hank Nussbacher wrote:
The spamming is usually done (but not only) from an Internet cafe where the spammer inserts a "spammer CD" and blasts away at open mail relays. When SMTP is blocked for that IP, they switch to HTTP and send the spam via MSN, Yahoo, Hotmail, Kukamail, Outblaze, Safe-mail, etc. to name just a few. Blocking port 80 is harder since it requires maintaining an ever larger list of free public web based mail systems or just block port 80 entirely.
You could traffic shape or rate limit the traffic towards port 80 to a few kbps for each IP address that might be used for spamming. If you allow small bursts (10 - 50k) this should be just fine for regular web access, since for that outgoing traffic is minimal: just the HTTP requests and ACKs. However, it will slow down spamming to at most a couple dozen spams per minute after the first few that fill up the configured burst size. I imagine this will make the spammers move on to greener pastures.
Kinda breaks broadband streaming audio/video in a Java/other web applet though...among other things. Best regards, _________________________ Alan Rowland -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Iljitsch van Beijnum Sent: Monday, September 09, 2002 3:50 AM To: Hank Nussbacher Cc: nanog@merit.edu Subject: Re: How do you stop outgoing spam? On Mon, 9 Sep 2002, Hank Nussbacher wrote:
The spamming is usually done (but not only) from an Internet cafe where the spammer inserts a "spammer CD" and blasts away at open mail relays. When SMTP is blocked for that IP, they switch to HTTP and send the spam via MSN, Yahoo, Hotmail, Kukamail, Outblaze, Safe-mail, etc. to name just a few. Blocking port 80 is harder since it requires
maintaining an ever larger list of free public web based mail systems or just block port 80 entirely.
You could traffic shape or rate limit the traffic towards port 80 to a few kbps for each IP address that might be used for spamming. If you allow small bursts (10 - 50k) this should be just fine for regular web access, since for that outgoing traffic is minimal: just the HTTP requests and ACKs. However, it will slow down spamming to at most a couple dozen spams per minute after the first few that fill up the configured burst size. I imagine this will make the spammers move on to greener pastures.
At 10:18 AM -0700 2002/09/09, Al Rowland wrote:
Kinda breaks broadband streaming audio/video in a Java/other web applet though...among other things.
No, the traffic budget is on upstream traffic, not downstream. Stream content all you want, but don't try to generate too much upstream traffic or you get your bandwidth severely curtailed. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
"Brad" == Brad Knowles <brad.knowles@skynet.be> writes:
Brad> No, the traffic budget is on upstream traffic, not Brad> downstream. Stream content all you want, but don't try to Brad> generate too much upstream traffic or you get your bandwidth Brad> severely curtailed. good consumer... don't try to talk. just watch the propaganda...
At 6:06 PM -0400 2002/09/09, William Waites wrote:
Brad> No, the traffic budget is on upstream traffic, not Brad> downstream. Stream content all you want, but don't try to Brad> generate too much upstream traffic or you get your bandwidth Brad> severely curtailed.
good consumer... don't try to talk. just watch the propaganda...
Yeah, well. For Internet cafe's, this is probably a fairly reasonable assumption. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
On Tue, 10 Sep 2002, Brad Knowles wrote:
Brad> No, the traffic budget is on upstream traffic, not Brad> downstream. Stream content all you want, but don't try to Brad> generate too much upstream traffic or you get your bandwidth Brad> severely curtailed.
[The whole thing about port 80 upstream bandwidth limitations getting in the way of streaming audio/video sounds like nonsense to me, since this usually doesn't go _to_ TCP port 80, even flowing _from_ TCP port 80 is something I haven't seen this century.]
good consumer... don't try to talk. just watch the propaganda...
Yeah, well. For Internet cafe's, this is probably a fairly reasonable assumption.
Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per second ~= 4 kbps.
On Tue, 10 Sep 2002 00:41:09 +0200 (CEST) Iljitsch van Beijnum <iljitsch@muada.com> wrote:
On Tue, 10 Sep 2002, Brad Knowles wrote:
Brad> No, the traffic budget is on upstream traffic, not Brad> downstream. Stream content all you want, but don't try to Brad> generate too much upstream traffic or you get your bandwidth Brad> severely curtailed.
[The whole thing about port 80 upstream bandwidth limitations getting in the way of streaming audio/video sounds like nonsense to me, since this usually doesn't go _to_ TCP port 80, even flowing _from_ TCP port 80 is something I haven't seen this century.]
good consumer... don't try to talk. just watch the propaganda...
Yeah, well. For Internet cafe's, this is probably a fairly reasonable assumption.
Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per second ~= 4 kbps.
When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book to the local ethernet if at all possible (that's why I like Global Gossip) and use high bit rates (i.e., file transfers) in both direction. If I was limited to 4 kbps outbound, I would want my money back. Just one customer viewpoint :) Regards Marshall Eubanks
On Mon, 9 Sep 2002, Marshall Eubanks wrote:
Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per second ~= 4 kbps.
When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book to the local ethernet if at all possible (that's why I like Global Gossip) and use high bit rates (i.e., file transfers) in both direction.
Would the uploads be HTTP? That's the only thing I'd want to limit to a few kbps. (Well, and outgoing SMTP to 0 kbps.)
If I was limited to 4 kbps outbound, I would want my money back.
Just one customer viewpoint :)
Understandable. On the other hand, spammers using internet cafes isn't good either.
On Tue, 10 Sep 2002 01:48:57 +0200 (CEST) Iljitsch van Beijnum <iljitsch@muada.com> wrote:
On Mon, 9 Sep 2002, Marshall Eubanks wrote:
Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per second ~= 4 kbps.
When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book to the local ethernet if at all possible (that's why I like Global Gossip) and use high bit rates (i.e., file transfers) in both direction.
Would the uploads be HTTP? That's the only thing I'd want to limit to a few kbps. (Well, and outgoing SMTP to 0 kbps.)
When I am at a cafe I use a web based encrypted email program, and if I email a large attachment (say a pdf file), then it goes http outbound. The other major outbound bandwidth use is scp (very rarely, ftp or ssh). I do not really see what the touch typing limit is relevant to - whose primary Internet use is telnet /ssh now-a-days ? Again, when I go to a cafe in another city, I am generally there to get some work done, and frequently have a bunch of previously prepared files to send. I may not be a typical user... Regards Marshall
If I was limited to 4 kbps outbound, I would want my money back.
Just one customer viewpoint :)
Understandable. On the other hand, spammers using internet cafes isn't good either.
On Tue, Sep 10, 2002 at 08:10:46AM -0400, Marshall Eubanks <tme@multicasttech.com> replied to Iljitsch van Beijnum <iljitsch@muada.com>: [snip]
When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book to the local ethernet if at all possible (that's why I like Global Gossip) and use high bit rates (i.e., file transfers) in both direction.
Would the uploads be HTTP? That's the only thing I'd want to limit to a few kbps. (Well, and outgoing SMTP to 0 kbps.)
When I am at a cafe I use a web based encrypted email program, and if I email a large attachment (say a pdf file), then it goes http outbound. The other major outbound bandwidth use is scp (very rarely, ftp or ssh).
I do not really see what the touch typing limit is relevant to - whose primary Internet use is telnet /ssh now-a-days ?
I'd estimate that my time is divided between SSH sessions (maybe 75%) and everything else ( mostly web browsing instant messaging (more text)), with music streaming generally going on in the background fairly constantly. YMMV - but text is pretty far from dead. :) On the other hand, I'm pretty far removed from (not to mention vastly outnumbered by) your average AOL-subscribing casual Net surfer. The OP was asking for solutions to blocking outbound spam. The most apparent (to me, anyway) is to rate-limit SMTP (or deny SMTP to dialup/dynamic addresses altogether; I have yet to see a convincing argument for allowing dialup users to run SMTP servers at this point in time). While that may take care of relay raping, there's still the HTTP problem to contend with (although I bet it's considerably less of a problem). I would imagine a traffic analysis of a spammer using HTTP and casual surfing (or even large file transfers) would reveal some pretty significant differences that could be used to implement some shaping or rate-limiting.
Again, when I go to a cafe in another city, I am generally there to get some work done, and frequently have a bunch of previously prepared files to send. I may not be a typical user...
Me neither. :) Hopefully this discussion is proving useful to the OP. -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui
Okay, I'm going to break my promise, Can anyone document more than one isolated instance, if that, of spammers using North American Cyber Cafes? (This is NANOG) If so, wouldn't appropriate AUP with appropriate fines to the CC the user used for access be a more appropriate sniper rifle shot rather than just shot gunning all your users? As far as 'loading' spam software, any Cyber Café that has the cpu out where Joe User has access and/or hasn't set appropriate user rights preventing software installation or system access, won't be in business very long anyway. Best regards, _________________________ Alan Rowland -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Iljitsch van Beijnum Sent: Monday, September 09, 2002 4:49 PM To: Marshall Eubanks Cc: nanog@merit.edu Subject: Re: How do you stop outgoing spam? On Mon, 9 Sep 2002, Marshall Eubanks wrote:
Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per
second ~= 4 kbps.
When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book to the local ethernet if at all possible (that's why I like Global Gossip) and use high bit rates (i.e., file transfers) in both direction.
Would the uploads be HTTP? That's the only thing I'd want to limit to a few kbps. (Well, and outgoing SMTP to 0 kbps.)
If I was limited to 4 kbps outbound, I would want my money back.
Just one customer viewpoint :)
Understandable. On the other hand, spammers using internet cafes isn't good either.
wow, I hate spam/anti-spam conversations, BUT: On Tue, 10 Sep 2002, Al Rowland wrote:
Okay, I'm going to break my promise,
Can anyone document more than one isolated instance, if that, of spammers using North American Cyber Cafes? (This is NANOG)
If so, wouldn't appropriate AUP with appropriate fines to the CC the user used for access be a more appropriate sniper rifle shot rather than just shot gunning all your users?
The problem most likely is that the complaints roll down days after said user spammed :( We see fallout from dial spammers normally hours after they start spamming. So, unless they have CC#->UserName->Time->ip all recorded at the cafe they aren't going to be able to 'fine' anyone :( I am NOT a proponent of a technical solution for spam because its just a escalating war of technology, but in this case perhaps there are some measures Hank can suggest to his customers to help solve this issue, or curb the abuse. Perhaps even a technical solution he can sell/manage for his customer and make some more money for his business? Managed Security Services, what a thought! :)
As far as 'loading' spam software, any Cyber Caf� that has the cpu out where Joe User has access and/or hasn't set appropriate user rights preventing software installation or system access, won't be in business very long anyway.
Stupidity never stopped people from running a business :(
Best regards, _________________________ Alan Rowland
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Iljitsch van Beijnum Sent: Monday, September 09, 2002 4:49 PM To: Marshall Eubanks Cc: nanog@merit.edu Subject: Re: How do you stop outgoing spam?
On Mon, 9 Sep 2002, Marshall Eubanks wrote:
Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per
second ~= 4 kbps.
When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book to the local ethernet if at all possible (that's why I like Global Gossip) and use high bit rates (i.e., file transfers) in both direction.
Would the uploads be HTTP? That's the only thing I'd want to limit to a few kbps. (Well, and outgoing SMTP to 0 kbps.)
If I was limited to 4 kbps outbound, I would want my money back.
Just one customer viewpoint :)
Understandable. On the other hand, spammers using internet cafes isn't good either.
On Tue, 10 Sep 2002, Al Rowland wrote:
Can anyone document more than one isolated instance, if that, of spammers using North American Cyber Cafes? (This is NANOG)
They usually use copy places like kinko's, or public libraries. Cyber cafes tend to be too conspicuous. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
## On 2002-09-09 17:53 -0400 Marshall Eubanks typed: ME> > ME> ME> When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book ME> to the local ethernet if at all possible (that's why I like Global Gossip) and ME> use high bit rates (i.e., file transfers) in both direction. ME> ME> If I was limited to 4 kbps outbound, I would want my money back. Are you doing your file transfers via HTTP or SMTP ? What about rate limiting TCP SYN packets ? I assume you're not doing more than say 1 file per second ? ME> ME> Just one customer viewpoint :) ME> ME> Regards ME> Marshall Eubanks ME> P.S. funny thing is I learnt the SYN rate limiting "trick" from Hank ... -- Rafi
At 12:41 AM +0200 2002/09/10, Iljitsch van Beijnum wrote:
Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per second ~= 4 kbps.
You're forgetting keyboard macros. That might take you to 8Kbps, or perhaps a little more. ;-) -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
On Mon, 9 Sep 2002, Iljitsch van Beijnum wrote: Looking for automatic off-the-shelf solution. Not something that requires a NOC to constantly update a Cisco ACL. -Hank
On Mon, 9 Sep 2002, Hank Nussbacher wrote:
The spamming is usually done (but not only) from an Internet cafe where the spammer inserts a "spammer CD" and blasts away at open mail relays.When SMTP is blocked for that IP, they switch to HTTP and send the spam via MSN, Yahoo, Hotmail, Kukamail, Outblaze, Safe-mail, etc. to name just a few.Blocking port 80 is harder since it requires maintaining an ever larger list of free public web based mail systems or just block port 80 entirely.
You could traffic shape or rate limit the traffic towards port 80 to a few kbps for each IP address that might be used for spamming. If you allow small bursts (10 - 50k) this should be just fine for regular web access, since for that outgoing traffic is minimal: just the HTTP requests and ACKs. However, it will slow down spamming to at most a couple dozen spams per minute after the first few that fill up the configured burst size. I imagine this will make the spammers move on to greener pastures.
Hank Nussbacher
On Mon, 9 Sep 2002, Hank Nussbacher wrote:
Looking for automatic off-the-shelf solution. Not something that requires a NOC to constantly update a Cisco ACL.
Correct me if I'm wrong, but the web (ok, most of it) has been running on TCP port 80 for quite a while now. So if you limit outgoing TCP packets to port 80 (and probably some variations, such as HTTP+SSL) to a few kbps, regardless of their destination, you don't hurt legitimate users except some very rare cases such as HTTP uploads but you make life less fun for spammers.
Final comment on this subject (I promise) :) How many (more) protocols are we willing to cripple in the name of fighting spam? Best regards, _________________________ Alan Rowland -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Iljitsch van Beijnum Sent: Monday, September 09, 2002 10:23 AM To: Hank Nussbacher Cc: nanog@merit.edu Subject: Re: How do you stop outgoing spam? On Mon, 9 Sep 2002, Hank Nussbacher wrote:
Looking for automatic off-the-shelf solution. Not something that requires a NOC to constantly update a Cisco ACL.
Correct me if I'm wrong, but the web (ok, most of it) has been running on TCP port 80 for quite a while now. So if you limit outgoing TCP packets to port 80 (and probably some variations, such as HTTP+SSL) to a few kbps, regardless of their destination, you don't hurt legitimate users except some very rare cases such as HTTP uploads but you make life less fun for spammers.
On Mon, 9 Sep 2002, Al Rowland wrote:
Final comment on this subject (I promise) :)
How many (more) protocols are we willing to cripple in the name of fighting spam?
Obviously the crippled protocol here is SMTP, because it allows pretty much everything. As a rule, I'm against solving application problems at the network layer, but in this specific case (internet cafe) this specific solution (rate limiting/traffic shaping for traffic to HTTP servers) seems reasonable.
On Mon, 09 Sep 2002 10:37:35 PDT, Al Rowland <alan_r1@corp.earthlink.net> said:
How many (more) protocols are we willing to cripple in the name of fighting spam?
Crippling protocols won't help, in the long run. What will help is the use of a baseball bat, properly applied. Unfortunately, although it would probably be *cheaper* to hire <insert ethnic organized crime group> to simply whack the cluelessmailers.org list of top 100 offenders, network providers fall into two distinct classes: 1) Companies with *some* sense of morals/conscience - they won't do that sort of thing. 2) Companies that *would* stoop so low - they won't do it either because that would be attacking their own revenue stream. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
On September 9, 2002 at 14:47 Valdis.Kletnieks@vt.edu (Valdis.Kletnieks@vt.edu) wrote:
On Mon, 09 Sep 2002 10:37:35 PDT, Al Rowland <alan_r1@corp.earthlink.net> said:
How many (more) protocols are we willing to cripple in the name of fighting spam?
Crippling protocols won't help, in the long run. What will help is the use of a baseball bat, properly applied. Unfortunately, although it would probably be *cheaper* to hire <insert ethnic organized crime group> to simply whack the cluelessmailers.org list of top 100 offenders, network providers fall into two distinct classes:
You've certainly gotten to the heart of the problem, Valdis. The problem is we're up against a new organized crime on the internet in the form of scams and spams. And, although some won't like me saying this, having the technical community deal with these new criminals is a bit like sending the boy scouts after Al-Qaida. Unfortunately it's going to take a much harsher view of reality than "maybe this regexp will stop crime". -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
On Tue, 10 Sep 2002, Barry Shein wrote:
And, although some won't like me saying this, having the technical community deal with these new criminals is a bit like sending the boy scouts after Al-Qaida.
Unfortunately it's going to take a much harsher view of reality than "maybe this regexp will stop crime".
Last time I checked policemen weren't designing door locks. Not even in business of selling them. What we have is a lot of open doors having prominent signs "come in and take whatever you please" on them. This can and should be fixed by the technical community. US is not going to send troops to Nigeria just to catch some spammers anyway. Consider that a "harsher view of reality" :) --vadim PS. Criminals are criminals because they are stupid. If they were smart they could make good living legally. Governments avoid competition, too.
For about 20 years I've been saying on these lists: Civilization is the knowledge that your house is reasonably locked up even though you have glass windows. (most) door locks (usually) work because breaking into them is accepted as illegal and there's a finite chance of being caught and going to jail for breaking them. Not because they're generally impervious to technology (e.g., crowbars, sharp kicks, charge cards.) A problem with spam is not only aren't you likely to get caught, it's not even generally agreed to be illegal. Hell, it's not even generally agreed to be anti-social except among the anointed. The solution (at this point) is not to nail plywood over all your windows. First we (as a society) need to agree spamming is even illegal. I fear those of us who don't like spam are rapidly losing that battle, however, and spam is becoming a regular and normal business activity. The spammers are winning by demonstration. You have probably 90% of internet users see spam in their mailbox every day and they come to believe that it must be ok, even if annoying. Like telemarketing calls. -b On September 10, 2002 at 13:48 avg@exigengroup.com (Vadim Antonov) wrote:
On Tue, 10 Sep 2002, Barry Shein wrote:
And, although some won't like me saying this, having the technical community deal with these new criminals is a bit like sending the boy scouts after Al-Qaida.
Unfortunately it's going to take a much harsher view of reality than "maybe this regexp will stop crime".
Last time I checked policemen weren't designing door locks. Not even in business of selling them.
What we have is a lot of open doors having prominent signs "come in and take whatever you please" on them. This can and should be fixed by the technical community.
US is not going to send troops to Nigeria just to catch some spammers anyway. Consider that a "harsher view of reality" :)
--vadim
PS. Criminals are criminals because they are stupid. If they were smart they could make good living legally. Governments avoid competition, too.
On Tue, 10 Sep 2002, Barry Shein wrote:
A problem with spam is not only aren't you likely to get caught, it's not even generally agreed to be illegal.
Worse yet, even in cases of clear criminal violations (eg relay rape, forgery, scams, death threats), it goes unprosecuted -- even when its trivial to track down the offenders. And you would not BELIEVE the effort it takes to get the US military to close their open relays (not to mention close their smurf amps and shut down their rooted boxes). Fully half the fault and responsibility for the current state of affairs lies with providers who are unwilling to take any action to shut down well known spammers and abusers. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On September 10, 2002 at 14:41 goemon@anime.net (Dan Hollis) wrote:
On Tue, 10 Sep 2002, Barry Shein wrote:
A problem with spam is not only aren't you likely to get caught, it's not even generally agreed to be illegal.
...some stuff snipped...
Fully half the fault and responsibility for the current state of affairs lies with providers who are unwilling to take any action to shut down well known spammers and abusers.
But much of that goes back to spamming not being clearly illegal, in two ways: 1. Some just take the attitude that if it's not illegal then it's ok, ignorable even if obnoxious behavior. No doubt the fact that it's paying customers doing the spamming in some cases colors this view. For others it's probably just "overworked, yet another distraction". 2. Some others take the attitude that if it's not illegal they're taking a chance (of lawsuit etc) if they shut someone down. Unless of course they have clear T&C's, but no matter how you write them some obnoxious, agressive, pond-scum can try to dispute that it applies to them. Been there, done that. Unless you do something nice and transparent like "you get 5 complaints per month free, the rest cost you $100/each." -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
On Tue, 10 Sep 2002, Barry Shein wrote:
2. Some others take the attitude that if it's not illegal they're taking a chance (of lawsuit etc) if they shut someone down.
But they often dont shut abusers down even when the activity IS illegal (eg flooding attacks, rooting boxes, scanning and dictionary attacks, criminal trespass relay rape, etc.)
Unless of course they have clear T&C's, but no matter how you write them some obnoxious, agressive, pond-scum can try to dispute that it applies to them. Been there, done that.
Or companies which dont enforce them (eg exodus) even when its criminal trespass... -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Mon, Sep 09, 2002 at 08:24:19PM +0300, Hank Nussbacher wrote:
On Mon, 9 Sep 2002, Iljitsch van Beijnum wrote:
Looking for automatic off-the-shelf solution. Not something that requires a NOC to constantly update a Cisco ACL.
PLEASE don't take this as an opportunity to start another spam thread (lest you find members of nanog testing out their theories from the "blowing up the internet" thread on your connection), but: Redirect all outgoing port 25 connections to your mail servers, and pipe all the messages through spamassassin (note: scalability not included). -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
How do you determin what is spam ? Not trying to be difficult or start another bloody thread. It would seem to me that in order to create an "off the shelf" non NOC-updating solution, you would have to beable to define "what is spam" and then you could "detect it". The only thing that comes to this feeble mind is something ala Snort, with a rule set that will catch most common "finger prints" of spam. The IDS would then have to trigger something to drop packets and alert the NOC. I guess if you treat it as an "Intruder" you might be closer at achieving your goals. just an idea. john brown On Mon, Sep 09, 2002 at 12:17:08PM +0300, Hank Nussbacher wrote:
Please try to keep this discussion technical and not diverge to opinions. I am not looking for opinions or religion. I am trying to find automated tools/systems/boxes that will stop spam from going *out* from an ISP. The ISP has no servers and allocates IP address space to downstream customers who spam. Yes, I know all about ACLs to block offending IPs. The ISP is willing to buy any box or system to stop outgoing spams and thereby stop constantly playing with ACLs.
The spamming is usually done (but not only) from an Internet cafe where the spammer inserts a "spammer CD" and blasts away at open mail relays. When SMTP is blocked for that IP, they switch to HTTP and send the spam via MSN, Yahoo, Hotmail, Kukamail, Outblaze, Safe-mail, etc. to name just a few. Blocking port 80 is harder since it requires maintaining an ever larger list of free public web based mail systems or just block port 80 entirely.
Technical solutions welcome.
Thanks, Hank
At 10:08 AM -0700 2002/09/09, John M. Brown wrote:
How do you determin what is spam ?
Not trying to be difficult or start another bloody thread.
It would seem to me that in order to create an "off the shelf" non NOC-updating solution, you would have to beable to define "what is spam" and then you could "detect it".
You could transparently proxy port 25 for all outgoing traffic, and then run spamassassin on that machine (collection of machines). You could do a slightly modified version to look at the traffic on port 80. Not only would you be looking for standard spam keywords, but you would also be looking at spam reports from other people (e.g., Vipul's Razor), so this should continue to adapt as the spam attacks change. However, I also like the idea of doing a bandwidth budget on a per machine basis, with short term bursts allowing for most "normal" activity. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
On Mon, Sep 09, 2002 at 11:31:44PM +0200, brad.knowles@skynet.be said: [snip]
At 10:08 AM -0700 2002/09/09, John M. Brown wrote:
How do you determin what is spam ?
Not trying to be difficult or start another bloody thread.
It would seem to me that in order to create an "off the shelf" non NOC-updating solution, you would have to beable to define "what is spam" and then you could "detect it".
Spam is bulk, by definition. It doesn't work otherwise. Remove the capability for bulk and you have eliminated the problem (or at least forced it elsewhere). Rate limiting outbound SMTP is still the best technical solution I have seen in this thread, and requires little to no upkeep on an ongoing basis. As soon as you start examining the contents of mail, you have increased the effort required by an order of magnitude.
You could transparently proxy port 25 for all outgoing traffic, and then run spamassassin on that machine (collection of machines). You could do a slightly modified version to look at the traffic on port 80. Not only would you be looking for standard spam keywords, but you would also be looking at spam reports from other people (e.g., Vipul's Razor), so this should continue to adapt as the spam attacks change.
Much more complex to implement and manage; doesn't scale well. The fewer decisions the anti-spam system has to make, the better it will work. If it only has to decide whether or not a specific IP/port combination has exceeded a certain threshold, it will run much more smoothly than if it's examining the contents of each packet.
However, I also like the idea of doing a bandwidth budget on a per machine basis, with short term bursts allowing for most "normal" activity.
*nod* -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui
At 11:07 AM -0700 2002/09/17, Scott Francis wrote:
Much more complex to implement and manage; doesn't scale well. The fewer decisions the anti-spam system has to make, the better it will work. If it only has to decide whether or not a specific IP/port combination has exceeded a certain threshold, it will run much more smoothly than if it's examining the contents of each packet.
Indeed, that will be a lot more scalable. But if you still have to look into each packet to see which ones are link encrypted (and therefore should be left alone) and which ones aren't (and therefore should be transparent proxied and/or traffic-shaped), that is quite a bit more work. The question is how much abuse is too much? Is it okay to allow all open port 25 connections (traffic-shaped to low average bit-rates), or is any abuse too much? -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
On Tue, Sep 17, 2002 at 08:35:03PM +0200, brad.knowles@skynet.be said: [snip]
Much more complex to implement and manage; doesn't scale well. The fewer decisions the anti-spam system has to make, the better it will work. If it only has to decide whether or not a specific IP/port combination has exceeded a certain threshold, it will run much more smoothly than if it's examining the contents of each packet.
Indeed, that will be a lot more scalable. But if you still have to look into each packet to see which ones are link encrypted (and therefore should be left alone) and which ones aren't (and therefore should be transparent proxied and/or traffic-shaped), that is quite a bit more work.
The question is how much abuse is too much? Is it okay to allow all open port 25 connections (traffic-shaped to low average bit-rates), or is any abuse too much?
Even the best solution will only approach 100% effectiveness as a limit. As in many things, it's a tradeoff - how much hassle are you willing to undergo for a steadily-diminishing return, 80/20 rule, etc. Personally, I'd be happy for 80% of the operators out there to implement the easiest 80% of things required to stop spam. If people would just take even the most basic of steps required to block spam, the picture would improve drastically for all of us. -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui
The spamming is usually done (but not only) from an Internet cafe where the spammer inserts a "spammer CD" and blasts away at open mail relays. When SMTP is blocked for that IP
outbound SMTP should be blocked for any dynamic or dialup source within a network. a rule of thumb might be that if nat or dhcp is involved, then you should be firewalling outbound smtp. likewise for an internet cafe: these are untrusted edges and the only things they should be able to reach are either (a) other parts of the untrusted edge, or (b) a place where they can authenticate themselves in order to reach further.
..., they switch to HTTP and send the spam via MSN, Yahoo, Hotmail, Kukamail, Outblaze, Safe-mail, etc. to name just a few. Blocking port 80 is harder since it requires maintaining an ever larger list of free public web based mail systems or just block port 80 entirely.
per-destination host AND port egress rate shaping. if someone tries to send more than 1Kbit/sec to all port 80's, or more than 1Kbit/sec to any single IP address, then you can safely RED their overage. this violates the whole peer-to-peer model but there's no help for that in the short term. if some internet cafe has a CuCme camera setup then you can find a way to let that traffic off-net without rate shaping. this will be the exception. -- Paul Vixie
Paul Vixie wrote:
per-destination host AND port egress rate shaping. if someone tries to send more than 1Kbit/sec to all port 80's, or more than 1Kbit/sec to any single IP address, then you can safely RED their overage. this violates the whole peer-to-peer model but there's no help for that in the short term. if some internet cafe has a CuCme camera setup then you can find a way to let that traffic off-net without rate shaping. this will be the exception.
Please be aware that this could have unintended consequences, and should be used in very constrained ways. In particular, there are any number of applications, including VPN applications that use port 80. I would recommend that only specified destinations get such treatment, if you apply it at all. Eliot
## On 2002-09-09 17:15 -0700 Eliot Lear typed: EL> EL> Paul Vixie wrote: EL> > per-destination host AND port egress rate shaping. if someone tries to send EL> > more than 1Kbit/sec to all port 80's, or more than 1Kbit/sec to any single EL> > IP address, then you can safely RED their overage. this violates the whole EL> > peer-to-peer model but there's no help for that in the short term. if some EL> > internet cafe has a CuCme camera setup then you can find a way to let that EL> > traffic off-net without rate shaping. this will be the exception. EL> EL> Please be aware that this could have unintended consequences, and should EL> be used in very constrained ways. In particular, there are any number EL> of applications, including VPN applications that use port 80. I would EL> recommend that only specified destinations get such treatment, if you EL> apply it at all. Hi Eliot Maybe I'm missing something obvious but do how you get rate-limiting per TCP *flow* with Cisco IOS ? -- Regards, Rafi
Rafi Sadowsky wrote:
Maybe I'm missing something obvious but do how you get rate-limiting per TCP *flow* with Cisco IOS ?
There is something called flow-based RED (FRED) but it consumes a whole lot of memory because you have to keep track of lots more state. I don't know about that code. At the least what you can do is use the rate-limit command and rate limit *all* outbound TCP/80 traffic (or for that matter all access-list captured traffic). Now, doing so will make any but the most trivial outbound TCP/80 absolutely painful, and will cause tail drop. See Cathy Wittbrodt's work in this space, which was presented at NANOG some time ago. Note, I'm not saying you should *do* this. It may be going a bit too far for anti-spam. Eliot
On Mon, Sep 09, 2002 at 06:15:12PM -0700, lear@cisco.com said:
Rafi Sadowsky wrote:
Maybe I'm missing something obvious but do how you get rate-limiting per TCP *flow* with Cisco IOS ?
There is something called flow-based RED (FRED) but it consumes a whole lot of memory because you have to keep track of lots more state. I don't know about that code. At the least what you can do is use the rate-limit command and rate limit *all* outbound TCP/80 traffic (or for that matter all access-list captured traffic). Now, doing so will make any but the most trivial outbound TCP/80 absolutely painful, and will cause tail drop. See Cathy Wittbrodt's work in this space, which was presented at NANOG some time ago.
Note, I'm not saying you should *do* this. It may be going a bit too far for anti-spam.
Exactly. If operators as a group would just take the most elementary of steps to decrease spam (along the lines Paul suggested), the effects would be so significant that I think we wouldn't be worrying about HTTP spam traffic (at least for the time being). The fraction of spam traffic that runs over HTTP rather than SMTP is, I suspect, rather small. If anybody has numbers on this, I'd be interested in hearing them one way or the other. -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui
Don't have to do it with Cisco IOS. FreBSD works quite nice for this. If a Internce Cafe, then place it on the upstream side of the network, or right before it. On Tue, Sep 10, 2002 at 03:32:31AM +0300, Rafi Sadowsky wrote:
## On 2002-09-09 17:15 -0700 Eliot Lear typed:
EL> EL> Paul Vixie wrote: EL> > per-destination host AND port egress rate shaping. if someone tries to send EL> > more than 1Kbit/sec to all port 80's, or more than 1Kbit/sec to any single EL> > IP address, then you can safely RED their overage. this violates the whole EL> > peer-to-peer model but there's no help for that in the short term. if some EL> > internet cafe has a CuCme camera setup then you can find a way to let that EL> > traffic off-net without rate shaping. this will be the exception. EL> EL> Please be aware that this could have unintended consequences, and should EL> be used in very constrained ways. In particular, there are any number EL> of applications, including VPN applications that use port 80. I would EL> recommend that only specified destinations get such treatment, if you EL> apply it at all.
Hi Eliot
Maybe I'm missing something obvious but do how you get rate-limiting per TCP *flow* with Cisco IOS ?
-- Regards, Rafi
Hi Eliot
Maybe I'm missing something obvious but do how you get rate-limiting per TCP *flow* with Cisco IOS ?
It is more trouble than its worth. SPAM is not a technical problem. It is a social problem. Using technical methods is not going to solve the problem. In the end, every time we come up with another method of detecting and blocking spam, another method is bypassing this defense is going to show up. Alex
On Tue, 10 Sep 2002 09:45:19 EDT, alex@yuriev.com said:
It is more trouble than its worth. SPAM is not a technical problem. It is a social problem. Using technical methods is not going to solve the problem.
There are two saying that come to mind: "You can't solve social problems with technical solutions" "There are very few inter-personal problems that can't be solved by the suitable application of high explosives" Most spam-fighting efforts on the technical side make the basic assumption that spam has similar characteristics to a properly designed TCP stack - that dropped/discarded spam-grams will trigger backoff at the sender. Unfortunately, discarding a high percentage of the grams will trigger a retransmit multiple times. Spam is likely going to be a problem until we either hire some thug muscle from <pick ethnic organized crime group>, or the government does it for us... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
On Tue, 10 Sep 2002 Valdis.Kletnieks@vt.edu wrote:
It is more trouble than its worth. SPAM is not a technical problem. It is a social problem. Using technical methods is not going to solve the problem.
There are two saying that come to mind:
"You can't solve social problems with technical solutions"
That's what happens when you hang around with software engineers too long. They think all problems are solvable. And most problems, especially social ones, aren't: they need to be managed. Sure, you can't stop spam entirely by technical (or other) means, but that's no reason to ignore the problem and run an open relay.
"There are very few inter-personal problems that can't be solved by the suitable application of high explosives"
Sounds like a technical solution to me...
Spam is likely going to be a problem until we either hire some thug muscle from <pick ethnic organized crime group>, or the government does it for us...
Or we throw out SMTP and adopt a mail protocol that requires the sender to provide some credentials that can't be faked. Then known spammers are easy to blacklist.
On Tue, 10 Sep 2002 19:18:59 +0200, Iljitsch van Beijnum said:
Or we throw out SMTP and adopt a mail protocol that requires the sender to provide some credentials that can't be faked. Then known spammers are easy to blacklist.
It's nice to say "we make it easy to blacklist spammers". The problem is that those systems that *HAVE* made it easy to blacklist spammers are *ALWAYS* taking heat for making it easy - remember how ORBS was held in little high regard? And even the MAPS people have had their share of legal hassles. We don't even have to throw out SMTP - there's STARTTLS, AUTH, PGP, and so on. The problem is that we don't know how to do a PKI that will scale (note that the current SSL certificate scheme isn't sufficient, as it usually does a really poor job of handling CRLs - and the *lack* of ability to distribute a CRL (which is essentially a blacklist) is the crux of the problem. There's also the problem of distributing valid credentials to half a billion people - while still preventing spammers from getting any. The DMV hasn't learned how to keep *teenagers* from getting fake ID's, why should we expect to do any better in keeping a motivated criminal from getting a fake credential? It's not as easy as it looks. As Bruce Schneier talked about in "Secrets and Lies", where he does a hypothetical threat analysis regarding getting dinner in a restaurant without paying, most of the attacks actually have nothing to do with the part of the transaction where money changes hands... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
On Tue, 10 Sep 2002 Valdis.Kletnieks@vt.edu wrote:
We don't even have to throw out SMTP - there's STARTTLS, AUTH, PGP, and so on. The problem is that we don't know how to do a PKI that will scale (note that the current SSL certificate scheme isn't sufficient, as it usually does a really poor job of handling CRLs - and the *lack* of ability to distribute a CRL (which is essentially a blacklist) is the crux of the problem.
So let everyone have their own. If you want to send me email, create a certificate for yourself. Then before you can actually tranfser messages, your system asks permission to do so, my system sends back a challenge to yours so I'm sure you haven't faked your reply address and your certificate is whitelisted. If you spam me, I can blacklist your certificate, your email address or your domain. If I handle mail for many users, I can apply some heuristics: new certificates/domains only get to send a small number of messages per hour initially or something similar.
It's not as easy as it looks.
Granted, but it's also not so hard we can't improve on a 20 year old protocol. As (nearly) always, the problem is backward compatibility. That makes it next to impossible to get something useful off the ground.
On Tue, 10 Sep 2002, Iljitsch van Beijnum wrote:
Or we throw out SMTP and adopt a mail protocol that requires the sender to provide some credentials that can't be faked. Then known spammers are easy to blacklist.
The "credentials that can't be faked" is a rather hard to implement concept. Simply because there's no way to impose a single authority on the entire world. The question is whom to trust to certify the sender's authenticity? I have correspondents in parts of the world where I'd be very reluctant to trust "proper" authorities. I'd be so very easy to silence anyone by _not_ issuing credentials. Besides, anonymous communication has its merits. So what's needed is zero-knowledge authentication and Web-of-trust model. And don't forget key revocation and detection of fake identity factories. Messy, messy, messy. --vadim
<herecy> Or unless we design a network which does not rely on good will of its users for proper operation. </herecy> --vadim On Tue, 10 Sep 2002 Valdis.Kletnieks@vt.edu wrote:
Most spam-fighting efforts on the technical side make the basic assumption that spam has similar characteristics to a properly designed TCP stack - that dropped/discarded spam-grams will trigger backoff at the sender. Unfortunately, discarding a high percentage of the grams will trigger a retransmit multiple times.
Spam is likely going to be a problem until we either hire some thug muscle from <pick ethnic organized crime group>, or the government does it for us...
## On 2002-09-10 09:45 -0400 alex@yuriev.com typed:
Hi Eliot
Maybe I'm missing something obvious but do how you get rate-limiting per TCP *flow* with Cisco IOS ?
It is more trouble than its worth.
IMHO there are other problems beside SPAM that can use per flow shaping/rate-limiting
SPAM is not a technical problem. It is a social problem. Using technical methods is not going to solve the problem. In the end, every time we come up with another method of detecting and blocking spam, another method is bypassing this defense is going to show up.
How about using a combination of technical and "social" measures For example in a Cyber Cafe use passive technical measures to count the total number of outbound SMTP sessions and charge 1$ per Email over an average rate of 2 Emails/minute and 10$ per Email exceeding a rate of 10 per minute
Alex
-- Rafi
Rafi Sadowsky wrote:
How about using a combination of technical and "social" measures For example in a Cyber Cafe use passive technical measures to count the total number of outbound SMTP sessions and charge 1$ per Email over an average rate of 2 Emails/minute and 10$ per Email exceeding a rate of 10 per minute
So the person who connects after sitting on a plane for 5 hours gets charged extra because the laptop bursts 50 messages ... There is no automated technical approach to a social problem. Public executions would be much more effective than preventing legitimate customers from getting their job done. Tony
At 1:51 PM -0700 2002/09/10, Eliot Lear wrote:
A proposed activity for Portland? Network engineer assisted homocide?
Seriously, how about a spam lottery? With payouts that only occur on the death of a known spammer? Of course, you'd have to ensure that the death was accidental, as we would not want to be seen as condoning or encouraging murder. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
## On 2002-09-10 13:41 -0700 Tony Hain typed: TH> TH> Rafi Sadowsky wrote: TH> > How about using a combination of technical and "social" TH> > measures For example in a Cyber Cafe use passive technical TH> > measures to count the total number of outbound SMTP sessions TH> > and charge 1$ per Email over an average rate of 2 TH> > Emails/minute and 10$ per Email exceeding a rate of 10 per minute TH> TH> So the person who connects after sitting on a plane for 5 hours gets TH> charged extra because the laptop bursts 50 messages ... Well the numbers may need adjusting but please note that I suggested measuring the average not burst - so if said person buys 30 minutes online his *average* rate would be (just) under the 2 Emails/minute threshold If needed change the first threshold to 4/5 per minute and the second threshold to 20 per minutes TH> There is no TH> automated technical approach to a social problem. Public executions TH> would be much more effective than preventing legitimate customers from TH> getting their job done. True in many cases but the punishment should be reasonable You could define SPAM as theft in Saudi-Arabia & then a a spammer would probably have his right hand chopped off ... A little common sense would probably be useful in matching the punishment to the "crime" TH> TH> Tony TH> -- Rafi
Rafi Sadowsky <rafi-nanog@meron.openu.ac.il> wrote:
How about using a combination of technical and "social" measures.
How about nuking their DNS (providing they use DNS and not a URL with an IP address) from the face of the planet making sure they can't re-register it with any registrar? I know it gives them another hoop to jump through, but the jumping will keep them from spamming for a bit. Tim
Eliot Lear wrote:
Please be aware that this could have unintended consequences, and should be used in very constrained ways. In particular, there are any number of applications, including VPN applications that use port 80. I would recommend that only specified destinations get such treatment, if you apply it at all.
If somebody is ignorant enough to implement IP over HTTP, why should they be accommodated? There are numerous reasons why there are other port numbers to TCP than 80 and other protocol numbers to IP than 6. We could save a lot by eliminating unneccessary headers... Pete
## On 2002-09-10 10:02 +0300 Petri Helenius typed: PH> > PH> If somebody is ignorant enough to implement IP over HTTP, why should PH> they be accommodated? There are numerous reasons why there are other PH> port numbers to TCP than 80 and other protocol numbers to IP than 6. Why do you think they're ignorant ? Isn't TCP over HTTP is normally used to attempt bypassing of firewalls ? IMHO Firewall/Security admins are ignorant if they don't take this into account AFAIK you can tunnel IP over(at least): 1) HTTP(not just use port 80 for non HTTP traffic) 2) ICMP ... 3) DNS queries(needs an external "custom" cooperating DNS) -- Rafi
Rafi Sadowsky wrote:
AFAIK you can tunnel IP over(at least):
1) HTTP(not just use port 80 for non HTTP traffic)
2) ICMP ...
3) DNS queries(needs an external "custom" cooperating DNS)
E-mail: http://detached.net/mailtunnel -- David
A twist we saw spammers using on dialup accounts in Miami could come to cyber cafes and could be ugly. They were dialing in and then using the IP address to send spam out some other connection elsewhere where RPF wasn't in use. The return packets all came back on their dialup into us, but bypassed our filters that were then only on outbound packets. Since these were wholesaled dial ports, we know there are no valid servers customers needed in RIPE annd APNIC blocks and in long ACLs blocking various MSN servers, AND we know the dialup user's account. In a free cafe, you know none of that. Having an inbound mirror image of the outbound ACL helped initially, and then a coworker crafted a reflexive access list that really stopped them. Inbound packets had to have matching outbound ones or were tossed. We had visions of their finding a $spam$ friendly ISP that would sell them a SPAM OC-3 as long as he got no spam complaints. It could have served many spam machines running with dynamic IPs from many different ISPs and many user accounts on each - all at once. In the free cyber cafe that does not NAT and that does not know who the users are, there is potential for similar abuse.
barton@gnaps.com ("Barton F Bruce") writes:
A twist we saw spammers using on dialup accounts in Miami could come to cyber cafes and could be ugly.
They were dialing in and then using the IP address to send spam out some other connection elsewhere where RPF wasn't in use. The return packets all came back on their dialup into us, but bypassed our filters that were then only on outbound packets.
this has been going on for some time. the example you gave of an OC3 used for outbound-only tcp streams is noncontrived and has been seen more than twice. it's been a year or so, so i'll renew my question. is anybody, anywhere, including as a term of their peering agreement things like "must have a responsive abuse@ mailbox and act credibly to prevent spammers from becoming or remaining customers" or "must filter both bgp advertisements and ip source addresses from all customers, and require them to do likewise"? and if not, why not, and how long do you think it's going to take before we use economic methods to solve this scourge? -- Paul Vixie
If somebody is ignorant enough to implement IP over HTTP, why should they be accommodated? There are numerous reasons why there are other port numbers to TCP than 80 and other protocol numbers to IP than 6.
Unlike some people that immediately jump to conclusions, that someone may be not arrogant, but bright - using port TCP 80 is an excellent way to bypass firewalls. If your firewall performs content analysis, one can simply encode the data in valid HTML code. Alex
At 08:20 PM 9/9/2002 +0000, Paul Vixie wrote:
outbound SMTP should be blocked for any dynamic or dialup source within
One of the basic problems with discussions about spam control is that it focuses entirely on spam. Blocking output SMTP from individual dial-ups has a serious negative consequence: Laptop mobile users cannot use their home SMTP server. At best, they must reconfigure for each venue -- goodbye wireless hotspot convenience -- and that is IF they know the SMTP server address for the local access. In other words, by blocking output SMTP, mobile users are hurt badly. I know that *I* certainly am. Constantly and serously. d/ ---------- Dave Crocker <mailto:dave@tribalwise.com> TribalWise, Inc. <http://www.tribalwise.com> tel +1.408.246.8253; fax +1.408.850.1850
On Tue, 10 Sep 2002, Dave Crocker wrote:
At 08:20 PM 9/9/2002 +0000, Paul Vixie wrote:
outbound SMTP should be blocked for any dynamic or dialup source within
One of the basic problems with discussions about spam control is that it focuses entirely on spam. Blocking output SMTP from individual dial-ups has a serious negative consequence:
Laptop mobile users cannot use their home SMTP server.
Why are mobile laptop users NOT using ssl/esmtp ? This uses port 587 or 425 or something like that... additionally, it provides authenitcation for the connection. Atleast in small scenarios it works beautifully.
On Tue, 10 Sep 2002, Dave Crocker wrote:
At 08:20 PM 9/9/2002 +0000, Paul Vixie wrote:
outbound SMTP should be blocked for any dynamic or dialup source within
One of the basic problems with discussions about spam control is that it focuses entirely on spam. Blocking output SMTP from individual dial-ups has a serious negative consequence:
Laptop mobile users cannot use their home SMTP server.
I don't think Paul meant to say blocked as in 'connection refused', I think he meant that they should be redirected to a local machine that will happily send their mail (with reasonable limits on number of recipients per arbitrary time period, which all of your mail servers should have anyway). Andy xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Andy Dills 301-682-9972 Xecunet, LLC www.xecu.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Dialup * Webhosting * E-Commerce * High-Speed Access
On September 10, 2002 at 10:16 dhc2@dcrocker.net (Dave Crocker) wrote:
At 08:20 PM 9/9/2002 +0000, Paul Vixie wrote:
outbound SMTP should be blocked for any dynamic or dialup source within
One of the basic problems with discussions about spam control is that it focuses entirely on spam. Blocking output SMTP from individual dial-ups has a serious negative consequence:
Yeah, well, too late, that battle was fought and settled years ago. The spammers are driving the standards at this point, not reasonable people trying to make things work. Ultimately that's one of my big problems with spammers, they're like termites in the RFCs quietly chewing away at both the letter and intent. At this point your easy-to-agree-with point is kinda like saying "I pay taxes, I damned well ought to be able to walk any street in any city at any time of the day or night and be safe!" nice sentiment, but unfortunately no longer realistic, not where the criminals are in charge. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
Well, it's clear that the real point I was trying to make was entirely missed by everyone, so let me try again. Dealing with problems, by focusing on absolute outbound port control, restricts legitimate use, as well as problematic use. For a group that is largely dominated by libertarian thinking, opting for blanket, outbound port control is odd. Very odd. Security mechanisms can choose between a default-yes or a default-no mode. Choosing to restrict outbound ports is a default-no. Think of this as the difference between democracy and totalitarianism. You get to do things until you try to do something wrong, versus you are not allowed to do anything until you first prove that it is ok. Spamming is a serious problem, and it needs serious responses, but we need to be very careful that dealing with the problem does not kill the net. At 03:34 PM 9/10/2002 -0400, Barry Shein wrote:
On September 10, 2002 at 10:16 dhc2@dcrocker.net (Dave Crocker) wrote:
One of the basic problems with discussions about spam control is that it focuses entirely on spam. Blocking output SMTP from individual dial-ups has a serious negative consequence:
Yeah, well, too late, that battle was fought and settled years ago. The spammers are driving the standards at this point, not reasonable people trying to make things work.
There are no standards for these practises. There are component mechanisms, but no integrated solution that is documented in a standard. That's part of the problem. In reality what is being done is entirely ad hoc and inconsistent. Otherwise we could at least know what will work for all "conforming" sites. And we could migrate everyone over to it. And, again, let me stress that I am not saying spamming isn't a problem. But rather that dealing with spamming simplistically carries very serious side-effects.
At this point your easy-to-agree-with point is kinda like saying "I pay taxes, I damned well ought to be able to walk any street in any city at any time of the day or night and be safe!"
No. It is like saying that because there is some street crime, in some places, let's make it illegal to walk anywhere, ever. And it is like saying that because some people make obscene phone calls, all phone calls will now be monitored. That really is what these blanket outbound controls are like. At 07:40 PM 9/10/2002 +0000, Paul Vixie wrote:
Laptop mobile users cannot use their home SMTP server.
in the business, we call this "tough noogies."
I had hoped that my reference to wireless hot-spot implications would make the scale and import of this approach adequately clear. That it does not nicely demonstrates why techies must not be in charge of a business that makes any claim to serving their customers. Broad-sweep, large-scale crippling of legitimate activity is not a realistic way to deal with a problem, even one as serious as spam.
At best, they must reconfigure for each venue -- goodbye wireless hotspot convenience -- and that is IF they know the SMTP server address
for
the local access.
i've gotten very good mileage out of ssl-smtp, and out of "port forwarding" so that my laptop uses 127.0.0.1:25 for outbound mail, which is actually a (ssh-borne) tunnel to my home smtp server.
There are always technical solutions that techies can follow. A more relevant question is what it will take for 100 million average users. As everyone on this list knows, the Internet is about scaling. So it is entirely irrelevant what any one of the people on this list can do to make things work. It is ONLY relevant what the impact is on 100 million other folks. Folks who are not sysadmins. Folks who cannot constantly reconfigure their systems. And ultimately it does not matter that a particular hack can be propagated, such as mapping 25 to a local ssl redirect. What matters is that the model that leads to that hack is broken even worse than spamming, because it says that the way to respond to a problem by some folks is to block all folks. Today, port 25. Tomorrow -- and in some places, today -- all ports except a precious few and even those are mediated.
be hurt now. but the design calls for a polite population, and while that was true of the internet in 1983, it is absolutely not true today.
Since I never said anything against adding security mechanisms, I'll just assume that you missed my point. In order not to bog down too far on that point, let me just ask: And the BCP that specifies the "correct" set of technologies, configurations, and use is...? However the danger of going down this path is to miss the larger point about the problem with wholesale outbound port blocking. d/ ---------- Dave Crocker <mailto:dave@tribalwise.com> TribalWise, Inc. <http://www.tribalwise.com> tel +1.408.246.8253; fax +1.408.850.1850
On September 10, 2002 at 14:20 dhc2@dcrocker.net (Dave Crocker) wrote:
Well, it's clear that the real point I was trying to make was entirely missed by everyone, so let me try again.
Dealing with problems, by focusing on absolute outbound port control, restricts legitimate use, as well as problematic use. For a group that is largely dominated by libertarian thinking, opting for blanket, outbound port control is odd. Very odd.
I think we do understand very well. In a nutshell: We're hosed. Everyone is running around willy-nilly doing things like blocking outbound port servers, analyzing mail headers which were never meant to be analyzed, doing full body text searching against hundreds of regexp patterns, blocking hundreds if not thousands of IP addresses and entire (CIDR forgive me) nets, etc.
At this point your easy-to-agree-with point is kinda like saying "I pay taxes, I damned well ought to be able to walk any street in any city at any time of the day or night and be safe!"
No. It is like saying that because there is some street crime, in some places, let's make it illegal to walk anywhere, ever.
The word for this is "curfew" and it's not unusual in troubled areas.
And it is like saying that because some people make obscene phone calls, all phone calls will now be monitored.
All phone calls are potentially monitorable because of problems like this. etc etc etc let's not quibble the analogies too much. My point is that we are now in a high crime zone, and what the "laws" (standards) say are becoming less and less influential versus frantic attempts to stop crime (spam.) You can't have law without order. Put another way, if no one will (or can) enforce the law such that order prevails people will just do what they have to. This often results in chaos. 1. Outlaws running crazy in the streets, drunk, raping, looting, tipping badly, etc. 2. Citizens meet in the church, yell at the sheriff, sheriff shrugs shoulders, bunch of men grab rifles and march out to confront outlaws themselves. 3. Massacre, vigilantes shoot each other, other honest townspeople, criminals laugh hysterically and vow to get drunker and have more fun (Dave, you've come in just about here.) 4. New sheriff comes into town, scares the crap out of everyone because he's so mean. Threatens to hang any citizen who takes law into own hands, etc. 5. New sheriff cleverly thwarts criminals while citizenry cowers behind closed doors and drawn curtains. 6. Law and order is restored, townspeople tearfully beg new sheriff to stay. Sheriff sneers, rides into sunset, next time you have to do it for yourselves. 7. Haunting tune whistled, credits roll. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
On Tue, 10 Sep 2002, Barry Shein wrote:
4. New sheriff comes into town, scares the crap out of everyone because he's so mean. Threatens to hang any citizen who takes law into own hands, etc.
5. New sheriff cleverly thwarts criminals while citizenry cowers behind closed doors and drawn curtains.
6. Law and order is restored, townspeople tearfully beg new sheriff to stay. Sheriff sneers, rides into sunset, next time you have to do it for yourselves.
Some of us came from places where the new sheriff came and stayed. And because just scaring didn't work after some time, he proceeded to hang and hang and hang, murdering millions just to keep the rest properly scared. When someone gets power he's quite unlikely to part with it on his own. Harsher view of the reality, if you wish. Or, rather, real life experience. Calling on government to come and fix problems which can conceivably be fixed without it is a surefire way to get more sheriffs on your neck. HUAC[*] reading your e-mail to determine if it contains loathed un-american terrorist-sponsoring spam. With Ashcroft being in charge of grilling spammers. Or whomever he declared an enemy today. Be careful with what you wish. Your wish may be granted. --vadim [*] House Un-American Activities Commitee.
Ya know Vadim, with all due respect, some people choose to live on their knees, one govt after another. You do know what happened to HUAC et al don't you? They got their butts thrown out of congress. Sen Joe McCarthy died a lonely, bitter, drunk. Meanwhile, civilization demands of us to use a govt or govt-like entity to run a legal system, not vigilantism. -b On September 10, 2002 at 18:29 avg@exigengroup.com (Vadim Antonov) wrote:
Some of us came from places where the new sheriff came and stayed. And because just scaring didn't work after some time, he proceeded to hang and hang and hang, murdering millions just to keep the rest properly scared.
When someone gets power he's quite unlikely to part with it on his own. Harsher view of the reality, if you wish. Or, rather, real life experience.
Calling on government to come and fix problems which can conceivably be fixed without it is a surefire way to get more sheriffs on your neck. HUAC[*] reading your e-mail to determine if it contains loathed un-american terrorist-sponsoring spam. With Ashcroft being in charge of grilling spammers. Or whomever he declared an enemy today.
Be careful with what you wish. Your wish may be granted.
--vadim
[*] House Un-American Activities Commitee.
At 09:53 PM 9/10/2002 -0400, Barry Shein wrote:
You do know what happened to HUAC et al don't you? They got their butts thrown out of congress. Sen Joe McCarthy died a lonely, bitter, drunk.
barry, look around and what's been happening over the last year. he's popular again. d/ ---------- Dave Crocker <mailto:dave@tribalwise.com> TribalWise, Inc. <http://www.tribalwise.com> tel +1.408.246.8253; fax +1.408.850.1850
Fortunately, our founding fathers also gave us not only the right, but the duty and the tools to take the treasonous out and dispose of them when they became a threat to the republic. That time is once again here. At 21:53 9/10/02 -0400, you wrote:
Ya know Vadim, with all due respect, some people choose to live on their knees, one govt after another.
You do know what happened to HUAC et al don't you? They got their butts thrown out of congress. Sen Joe McCarthy died a lonely, bitter, drunk.
Meanwhile, civilization demands of us to use a govt or govt-like entity to run a legal system, not vigilantism.
At 10:16 AM -0700 2002/09/10, Dave Crocker wrote:
Laptop mobile users cannot use their home SMTP server.
Depends on the configuration of the SMTP server and the mail server & client running on the laptop. With SMTPAUTH and/or TLSSMTP, and using a different (unfiltered) port, this shouldn't be a problem.
In other words, by blocking output SMTP, mobile users are hurt badly.
Can be. Yup. Think of all the iPass and GRiC customers who don't even know who the local provider is that they're dialing up, so that they can get a network connection?
I know that *I* certainly am. Constantly and serously.
I'm very sorry to hear this. Maybe we can help you get SMTPAUTH and/or TLSSMTP set up on your server and/or client? -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
The best way to stop spam from going out of an ISP is to: A) Make a clear policy as part of the terms & conditions, including a significant clean-up fee + direct charges (e.g., if they ask you or prompt a legal question they can pay the legal fee for you to get it answered.) B) KNOW WHO THE HELL YOU'RE GIVING ACCOUNTS TO so that (A) works. Get a credit card or verify the phone number and other info (e.g., call them back, insist on calling them back.) C) Use (B) to enforce (A). The problem in 99% of the cases is either (B) or ISPs who just don't care at all. I no longer believe "it was a throwaway account" is a reasonable excuse except in a rare case where something slipped through the cracks, I understand it can happen. But when a spammer is creating throwaway after throwaway the ISP needs to change their account creation procedures because this information is shared by spammers and they've become a target. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
At 2:37 PM -0400 2002/09/10, Barry Shein wrote:
A) Make a clear policy as part of the terms & conditions, including a significant clean-up fee + direct charges (e.g., if they ask you or prompt a legal question they can pay the legal fee for you to get it answered.)
That's nice to have, but hard to enforce. That is, unless you ask for a large up-front cash deposit.
B) KNOW WHO THE HELL YOU'RE GIVING ACCOUNTS TO so that (A) works. Get a credit card or verify the phone number and other info (e.g., call them back, insist on calling them back.)
Do you know how many credit cards are out there? Do you know how many of them are fake or stolen? You can't even get a decent charge that you can reliably apply to them, because the bank at the other end will refuse payment from a non-existent or closed account.
C) Use (B) to enforce (A).
Doesn't work. See above.
The problem in 99% of the cases is either (B) or ISPs who just don't care at all.
CyberCafe's can't use (B), even if it did work. That would violate their basic premise. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
Brad Knowles wrote:
B) KNOW WHO THE HELL YOU'RE GIVING ACCOUNTS TO so that (A) works. Get a credit card or verify the phone number and other info (e.g., call them back, insist on calling them back.)
Do you know how many credit cards are out there? Do you know how many of them are fake or stolen? You can't even get a decent charge that you can reliably apply to them, because the bank at the other end will refuse payment from a non-existent or closed account.
Then do what hotels do to avoid this problem. When you are given the card number and info, you contact the bank and put a hold on the account for the expecte amount of the bill. When the bill actually comes due, you put the charge through. You know that the charge will succeed because the bank is already holding that amount. If the card is stolen, bogus, overdrawn, etc., then you won't be able to place the hold. In which case, you reject the application.
CyberCafe's can't use (B), even if it did work. That would violate their basic premise.
What basic premise? Free anonymous access? That's new to me. Every one I've seen charges for access. They can easily require charge cards in advance, and place holds on them, in order to identify stolen cards and criminal users. And once a known-valid card is in hand, it can be used to directly impose penalty charges on those that violate the cafe's AUP (which should exist and have no-spamming/no-hacking clauses.) If customers don't want to use charge cards, they can require a large cash deposit up-front, just like the video rental stores do if you try to get a membership without a charge card. -- David
On Wed, 11 Sep 2002, David Charlap wrote:
Brad Knowles wrote:
B) KNOW WHO THE HELL YOU'RE GIVING ACCOUNTS TO so that (A) works. Get a credit card or verify the phone number and other info (e.g., call them back, insist on calling them back.)
Do you know how many credit cards are out there? Do you know how many of them are fake or stolen? You can't even get a decent charge that you can reliably apply to them, because the bank at the other end will refuse payment from a non-existent or closed account.
Then do what hotels do to avoid this problem.
When you are given the card number and info, you contact the bank and put a hold on the account for the expecte amount of the bill. When the bill actually comes due, you put the charge through. You know that the charge will succeed because the bank is already holding that amount.
If the card is stolen, bogus, overdrawn, etc., then you won't be able to place the hold. In which case, you reject the application.
This actually uses the standard mechanism for credit card transactions, if forget the proper terms but basically what happens is that you apply the charges at point of sale but then the settlement is actually authorised later on in the day, or in the case of not needing payment the charge is revoked. You dont normally notice this in day to day shopping.. The problems are that you need to put an amount through and that will be taken off the card holders credit limit so how much do you want to take? Too little and you've not really secured any cash, too much and you could reduce their available balance too greatly and cause them issues (they overspend!) But ok, your real point is that if the card isnt valid you will get a rejection there and then. But theres a catch to this also in that a lot of credit card fraud these days is done on valid numbers. This occurs quite simply as a result of going in a shop, giving someone your card and they either keep a copy of the number or where they dont get access to the systems can use hand held copiers to read the info off and upload later. These people then pass these perfectly legitimate numbers on.. Steve
CyberCafe's can't use (B), even if it did work. That would violate their basic premise.
What basic premise? Free anonymous access? That's new to me. Every one I've seen charges for access. They can easily require charge cards in advance, and place holds on them, in order to identify stolen cards and criminal users. And once a known-valid card is in hand, it can be used to directly impose penalty charges on those that violate the cafe's AUP (which should exist and have no-spamming/no-hacking clauses.)
If customers don't want to use charge cards, they can require a large cash deposit up-front, just like the video rental stores do if you try to get a membership without a charge card.
-- David
At 12:48 PM -0400 2002/09/11, David Charlap wrote:
When you are given the card number and info, you contact the bank and put a hold on the account for the expecte amount of the bill. When the bill actually comes due, you put the charge through. You know that the charge will succeed because the bank is already holding that amount.
There are plenty of cards that don't properly authorize immediately. You can go ahead and place whatever hold you want or even make whatever charges you want, but a few days later you'll get a charge-back from the holding bank -- the charge was refused by the owner, the card doesn't actually exist, the card has been cancelled, etc.... They got the service, you theoretically claimed your payment, and then you get screwed. I have a card like this. I've never used it this way, but I have accidentally managed to charge way more stuff on the card than my available credit, and my bank has done charge-backs.
If the card is stolen, bogus, overdrawn, etc., then you won't be able to place the hold. In which case, you reject the application.
See above.
What basic premise? Free anonymous access?
No. Anonymous access for a minimal fee. You can't ask people to lay down $500 cash (or whatever your spamming charge is) and expect to stay in business.
Every one I've seen charges for access. They can easily require charge cards in advance, and place holds on them, in order to identify stolen cards and criminal users.
See above. There are also cards which don't properly authorize immediately, but the other way -- they are valid, the person presenting it really is the legal owner, there is plenty of available credit, but when you try to place a charge or a hold, it is refused. I have another card like this myself. As a CyberCafe operator, how do you deal with a situation where someone has only one card and it won't authorize?
If customers don't want to use charge cards, they can require a large cash deposit up-front,
How large? How far are you willing to go while you keep losing business?
just like the video rental stores do if you try to get a membership without a charge card.
Really? I've never seen that kind of behaviour here. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
On Wed, Sep 11, 2002 at 11:56:32PM +0200, Brad Knowles wrote:
There are also cards which don't properly authorize immediately, but the other way -- they are valid, the person presenting it really is the legal owner, there is plenty of available credit, but when you try to place a charge or a hold, it is refused. I have another card like this myself.
As a CyberCafe operator, how do you deal with a situation where someone has only one card and it won't authorize?
Depends on the relative costs. See below.
If customers don't want to use charge cards, they can require a large cash deposit up-front,
How large? How far are you willing to go while you keep losing business?
That depends - how long will you bet able to get an upstream which doesn't cancel your service for failure to deal with the problem? That, more than anything, is the opposite pressure cost - if it costs these places less to allow spam than to prohibit it, because nobody whacks them with an AUP saying "your efforts are insufficient", well, they're a business - they'll go with what's cheaper.
just like the video rental stores do if you try to get a membership without a charge card.
Really? I've never seen that kind of behaviour here.
All the time, around here. Summary: as with every other natural resource, 'the commons' are now held under market rule. If it turns a profit to spoil them, it will end up happening. The question is how to make it more costly to permit spam than to deny it. And on that note, it's the same old tune, and is no longer operational. -- *************************************************************************** Joel Baker System Administrator - lightbearer.com lucifer@lightbearer.com http://users.lightbearer.com/lucifer/
On Wed, 11 Sep 2002, Brad Knowles wrote:
B) KNOW WHO THE HELL YOU'RE GIVING ACCOUNTS TO so that (A) works. Get a credit card or verify the phone number and other info (e.g., call them back, insist on calling them back.)
C) Use (B) to enforce (A).
Doesn't work. See above.
Back in the day, a reasonable BBS would voice-validate all new users. This meant getting a valid phone number from a new user, and actually calling them back at that number, before activating an account. We started as a BBS giving out Unix shell accounts. Our new user registration screen still says we voice-validate all new accounts, and we do. ========================================================== Chris Candreva -- chris@westnet.com -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
And locking your car, taking the keys, setting the alarm or whatever doesn't guarantee someone won't load it into a soundproof truck. BUT IT HELPS! And having run an ISP for 13 years now I'm here to tell you what I say HELPS. I'm not just making this stuff up, I'm telling you what I know from experience. Spammers et al look for easy marks they don't have to compound their crimes with. As to CyberCafes, I don't know anything about those, never used one, never thought about it, surprised they'd be popular with spammers. -b On September 11, 2002 at 14:12 brad.knowles@skynet.be (Brad Knowles) wrote:
At 2:37 PM -0400 2002/09/10, Barry Shein wrote:
A) Make a clear policy as part of the terms & conditions, including a significant clean-up fee + direct charges (e.g., if they ask you or prompt a legal question they can pay the legal fee for you to get it answered.)
That's nice to have, but hard to enforce. That is, unless you ask for a large up-front cash deposit.
B) KNOW WHO THE HELL YOU'RE GIVING ACCOUNTS TO so that (A) works. Get a credit card or verify the phone number and other info (e.g., call them back, insist on calling them back.)
Do you know how many credit cards are out there? Do you know how many of them are fake or stolen? You can't even get a decent charge that you can reliably apply to them, because the bank at the other end will refuse payment from a non-existent or closed account.
C) Use (B) to enforce (A).
Doesn't work. See above.
The problem in 99% of the cases is either (B) or ISPs who just don't care at all.
CyberCafe's can't use (B), even if it did work. That would violate their basic premise.
-- Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
participants (29)
-
Al Rowland -
alex@yuriev.com -
Andy Dills -
Barry Shein -
Barton F Bruce -
blitz -
Brad Knowles -
Christopher L. Morrow -
Christopher X. Candreva -
Dan Hollis -
Dave Crocker -
David Charlap -
Eliot Lear -
Hank Nussbacher -
Iljitsch van Beijnum -
Joel Baker -
John M. Brown -
Marshall Eubanks -
Paul Vixie -
Petri Helenius -
Rafi Sadowsky -
Richard A Steenbergen -
Scott Francis -
Stephen J. Wilcox -
tim.thorne@btinternet.com -
Tony Hain -
Vadim Antonov -
Valdis.Kletnieks@vt.edu -
William Waites