Date: Fri, 3 May 2002 15:27:08 -0700 (PDT) From: Scott Granados <scott@graphidelix.net>
I realize this statement I'm about to make is going to open a huge... can o worms but ... and hoefully everyone knows I mean this in the most friendly responsible way ever but I'm not sure entirely what the big deal with spam is. Honestly sure I get it like everyone else, in some [...snip...] money. Today with flat rate access and many people not paying on a per packet basis it seems to me that the responsibility lies with the end user to filter properly and or dress that delete key. I always shut [...snip...]
The problem with this is that, yes, to the END USER, there is no direct cost involved. However, in order to maintain the same level of service, the ISP is forced to go get a bigger pipe and/or bigger, faster routers and/or servers. (Raises prices a bit per account) The transit provider raises the costs to the ISP because the packet count has gone way up. The backbone provider has equipment running a bit hotter because of the increased packet count. This may cause them to either increase the bill to the transit provider and/or procure bigger and better equipment (to handle the load) before their planned replacement time... The peers to this ISP are forced to get either bigger pipes and/or more costly equipment (routers) in order to handle the increased packet count they might be seeing. In all of this, the bozo (well..., 'user' really) originating the email (well, spam) has not paid a thing other than a temporary interruption in service for one of his throw-away accounts and is still paying a 'flat rate' for the POP (dial-in) service that HIS isp is providing. For snail mail junk mail (aka spam), the mailer bears ALL of the costs and, if there is insufficient returns on their junk mail, is forced to stop. A 'spammer' does not see these costs and thus has no incentive to find another model to do business. We get, for our 7K users, upwards of 25,000+ unwanted messages per day that make it past our not so rigid filters. My $0.02 worth. Use the delete key... Regards, Gregory Hicks
On Fri, 3 May 2002, Mitch Halmu wrote:
On Fri, 3 May 2002, Paul Vixie wrote:
I hate to sound like the big idiot here, but what exactly in the email you received indicates no-ip.com spammed? It looks to me like you just have some secret "admirer" who thought you wanted a no-ip.com account, and no-ip.com emailed you to confirm that you do want the account.
spam is like pollution in that (a) whenever you're not sure if you're doing it, you probably are, and (b) if everybody did whatever it is, life would be universally worse for, well, everybody.
Random disclaimer: Yes, we're a competitor of no-ip.com's... And yes, we used to send similar emails to people signing up for an account, although nowadays instead of sending them an initial password we send a confirm URL instead.
that's the right approach. no-ip's problem was they presumed my
permission.
You don't even have to be in the "big idiot" league to figure out that in both the "wrong" and the "right" approach as sanctioned above by a higher authority, an email message (aka spam) is sent to the presumed subscriber.
One sends a password, one asks for permission to issue a password on their site. What's the difference in the annoy factor, if indeed one were to be subscribed by a secret "admirer"?
Mr. Halmu chose to think, rather than bindly obey...
--Mitch NetSide
I'm curious on this "extra traffic" data, since I'm somewhat involved with antispam website, it'd be interesting to get the statistics and post it to explain others how bad spam is for internet not only in annoyance but in actual extra costs and wasted traffic. Do you have data on approximate amount of this extra mail bandwidth due to spam per user? Actually lets be more exact, can some of you with 10,000 real user mail accounts reply how much traffic your mail server is using and if you have spam filter, how much (in percentage) of mail were filters. And how big were the filterd spam in comparison to all other regular mails? And if possible how much in amount of disk space was it in comparison to all other emails? On Fri, 3 May 2002, Gregory Hicks wrote:
Date: Fri, 3 May 2002 15:27:08 -0700 (PDT) From: Scott Granados <scott@graphidelix.net>
I realize this statement I'm about to make is going to open a huge... can o worms but ... and hoefully everyone knows I mean this in the most friendly responsible way ever but I'm not sure entirely what the big deal with spam is. Honestly sure I get it like everyone else, in some [...snip...] money. Today with flat rate access and many people not paying on a per packet basis it seems to me that the responsibility lies with the end user to filter properly and or dress that delete key. I always shut [...snip...]
The problem with this is that, yes, to the END USER, there is no direct cost involved.
However, in order to maintain the same level of service, the ISP is forced to go get a bigger pipe and/or bigger, faster routers and/or servers. (Raises prices a bit per account)
The transit provider raises the costs to the ISP because the packet count has gone way up.
The backbone provider has equipment running a bit hotter because of the increased packet count. This may cause them to either increase the bill to the transit provider and/or procure bigger and better equipment (to handle the load) before their planned replacement time...
The peers to this ISP are forced to get either bigger pipes and/or more costly equipment (routers) in order to handle the increased packet count they might be seeing.
In all of this, the bozo (well..., 'user' really) originating the email (well, spam) has not paid a thing other than a temporary interruption in service for one of his throw-away accounts and is still paying a 'flat rate' for the POP (dial-in) service that HIS isp is providing.
For snail mail junk mail (aka spam), the mailer bears ALL of the costs and, if there is insufficient returns on their junk mail, is forced to stop. A 'spammer' does not see these costs and thus has no incentive to find another model to do business.
We get, for our 7K users, upwards of 25,000+ unwanted messages per day that make it past our not so rigid filters.
My $0.02 worth. Use the delete key...
Regards, Gregory Hicks
On Fri, 3 May 2002, Mitch Halmu wrote:
On Fri, 3 May 2002, Paul Vixie wrote:
I hate to sound like the big idiot here, but what exactly in the email you received indicates no-ip.com spammed? It looks to me like you just have some secret "admirer" who thought you wanted a no-ip.com account, and no-ip.com emailed you to confirm that you do want the account.
spam is like pollution in that (a) whenever you're not sure if you're doing it, you probably are, and (b) if everybody did whatever it is, life would be universally worse for, well, everybody.
Random disclaimer: Yes, we're a competitor of no-ip.com's... And yes, we used to send similar emails to people signing up for an account, although nowadays instead of sending them an initial password we send a confirm URL instead.
that's the right approach. no-ip's problem was they presumed my
permission.
You don't even have to be in the "big idiot" league to figure out that in both the "wrong" and the "right" approach as sanctioned above by a higher authority, an email message (aka spam) is sent to the presumed subscriber.
One sends a password, one asks for permission to issue a password on their site. What's the difference in the annoy factor, if indeed one were to be subscribed by a secret "admirer"?
Mr. Halmu chose to think, rather than bindly obey...
--Mitch NetSide
-- William Leibzon Elan Communications
On Fri, 3 May 2002 william@elan.net wrote:
Do you have data on approximate amount of this extra mail bandwidth due to spam per user? Actually lets be more exact, can some of you with 10,000 real user mail accounts reply how much traffic your mail server is using and if you have spam filter, how much (in percentage) of mail were filters. And how big were the filterd spam in comparison to all other regular mails? And if possible how much in amount of disk space was it in comparison to all other emails?
Since sendmail applies our dnsbl rules before accepting the message, I can't say how much bandwidth the blocked spam would have used. On a MX that handles mail for several tens of thousands of actual user accounts, it's not unusual for us to deliver ~400k messages and reject anywhere from 200k-500k messages. A few weeks ago we had a several day period during which we rejected > 1,000,000 messages/day. The rejected numbers can be somewhat inflated though by the 'alphabet spammers'. I'm not sure what else to call them...but these are the people who try to send mail to every conceivable address @yourdomain. If you run a large mail server, you've probably seen them hit you. When they dump their random address spam on an open relay, that relay gets blacklisted pretty quickly, resulting in large numbers of dnsbl rejected messages that would have eventually bounced as 'no such user' bounces, and likely double bounced. Worse, IMO, than the bandwidth issue (mail from/rcpt to/571 doesn't use that much bandwidth), is the mail server load issue. A couple of open relays pounding on our mail servers trying to deliver a truckload of spam someone dumped on them will drive up the load in no time. I'm seriously considering adapting some existing code to watch syslog data and use kernel packet filtering to cut off connectivity for say 24h from IP's after N dnsbl caused rejections in Y minutes. This should reduce load considerably. While typing this I was just watching the log on one mail server and noticed several rejections/sec from mail.ignacio.k12.co.us. That system is an open relay (listed in several blacklists) and has been trying to deliver mail to atlantic.net since last wednesday. We've rejected from them the following numbers of messages: Wed: 82102 Thur: 286861 Fri: 215779 Sat (so far): 62128 -- ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
At the moment I'm actually interested in statistics on size of spam messages as compared to average size of mail message to try to caclulate amount of mail bandwdith they really waste... My own calculations show around 27% spam email and I'v seen statistics from 20-30% from others (someone else also wrote me 1/3 of the email, this is a little inflated but shows generaly what is). But I'm interested in actual numbers on per size of email statistics if possible. On Sat, 4 May 2002 jlewis@lewis.org wrote:
On Fri, 3 May 2002 william@elan.net wrote:
Do you have data on approximate amount of this extra mail bandwidth due to spam per user? Actually lets be more exact, can some of you with 10,000 real user mail accounts reply how much traffic your mail server is using and if you have spam filter, how much (in percentage) of mail were filters. And how big were the filterd spam in comparison to all other regular mails? And if possible how much in amount of disk space was it in comparison to all other emails?
Since sendmail applies our dnsbl rules before accepting the message, I can't say how much bandwidth the blocked spam would have used. On a MX that handles mail for several tens of thousands of actual user accounts, it's not unusual for us to deliver ~400k messages and reject anywhere from 200k-500k messages. A few weeks ago we had a several day period during which we rejected > 1,000,000 messages/day.
The rejected numbers can be somewhat inflated though by the 'alphabet spammers'. I'm not sure what else to call them...but these are the people who try to send mail to every conceivable address @yourdomain. If you run a large mail server, you've probably seen them hit you. When they dump their random address spam on an open relay, that relay gets blacklisted pretty quickly, resulting in large numbers of dnsbl rejected messages that would have eventually bounced as 'no such user' bounces, and likely double bounced.
Worse, IMO, than the bandwidth issue (mail from/rcpt to/571 doesn't use that much bandwidth), is the mail server load issue. A couple of open relays pounding on our mail servers trying to deliver a truckload of spam someone dumped on them will drive up the load in no time. I'm seriously considering adapting some existing code to watch syslog data and use kernel packet filtering to cut off connectivity for say 24h from IP's after N dnsbl caused rejections in Y minutes. This should reduce load considerably. While typing this I was just watching the log on one mail server and noticed several rejections/sec from mail.ignacio.k12.co.us. That system is an open relay (listed in several blacklists) and has been trying to deliver mail to atlantic.net since last wednesday. We've rejected from them the following numbers of messages:
Wed: 82102 Thur: 286861 Fri: 215779 Sat (so far): 62128
I've been roasted privately and called naive in thinking that pay-per-mail is a valid solution. Let me first say that the $0.02 I pulled "out of the air" was derived simply by taking the $80/hr I bill to clients and dividing that by 3600 (number of seconds in an hour) thus $0.022. I'd say that about 1 second per email is probably real in relation to my time. Let me explain why I've come up the pay per message as an answer. I realize that this has got issues with it - such as abuses of the micropayment system, etc. etc. etc. Anyone who thinks that government can pass a law and this will go away is hopelessly naieve. The spammers will go overseas. Besides, if you look at the content of a lot of the spams I receive I doubt the senders care much about the law. The junk fax law, in my opinion, worked primarily because sending faxes from locations outside the us jurisdiction cost more and there were few things you could provide from overseas which were marketable via fax. Anyone who thinks we're going to be able to educate people and make them all close their open relays is going to make the problem go away is hopelessly naieve. There are just too many admins out there, most of which are of the "I think running my own mail server is a good idea, but I really don't have much of a clue about how the mail server REALLY works" variety. It's not possible. That leaves technological measures. Spam filters are a good idea, but spam is a very moving target. I run spamassassin (highly recommended) on a couple of mail servers. When I first install a newly-released version of spamassassin it is nearly perfect. Over a couple of months it gets less and less effective, at which point I install the newest version, which improves effectiveness again. Occam's razor is good, but in reality only catches spam if it has been reported to the razor. rbldns lists are effective only against the worst offenders, as the rest don't get reported until it is too late. and so on. I think the only other methods I can think of are best described as some sort of "web of trust" type method. These are essentially whitelist systems. In order to send me mail you have to *do* something. The first option is a traditional "If you send me email and I don't know you, I'll bounce the message and you have to reply with a specially formatted mail message in order to get your mail through". The main problem with this model is that in circumstances where bulk mailing is necessary (such as notifications of credit card payment due, etc.), you run into a problem. The other thing is that eventually, spammers will learn how to respond to these messages automatically. The second is more of a secure-smtp model, in that each mail server is "Certificated" in one way or another and that you only accept mail from "Certificated" mail servers. One of the conditions of being "certificated" is verification of anti-spam technological and other measures (such as being able to identify spammers, etc.). In a small internet, this is a perfectly workable solution. In a globally sized one, it seems to me that the likelihood of spammers being able to work around the system is as close to 100% as you can get. The pay-per-message system I proposed was an outgrowth of the "certificated" option. In essence, my theory is that if you paid *something* for each message you send, than everything should equal out in the long run. Generally, other than mailing lists and spam, I send about 1 message for every one I receive. A spammer sends tens of thousands of messages for every one he receives. There are a whole new set of problems caused by this which I think have mostly been mentioned - to summarize, they mostly relate to the technical problems with doing this, plus the possibility of abuse of the system, etc. etc. etc. Someone pointed me to a discussion of camram at http://harvee.billerica.ma.us/~esj/camram.html. I initially *like* something like this option. In short, it forces the sender to spend a lot of CPU cycles for every message they send. Need to send a lot of email, well, spend a LOT of cpu cycles. The point I was trying to make with the pay-per-message is that the real cause of spam is an economic one. That is, the cost of sending the spam is less than the profit the spammers make from the spam. If we can increase the cost of sending the spam, then we will lessen the profitability of sending it, and the problem will diminish substantially. Remember almost 100% of the spam is driven by greed, and if we can't satisfy the greed of the spammers, they will go elsewhere. - Forrest W. Christian (forrestc@imach.com) AC7DE ---------------------------------------------------------------------- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/ Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 ---------------------------------------------------------------------- Protect your personal freedoms - visit http://www.lp.org/
"Forrest W. Christian" wrote:
Anyone who thinks that government can pass a law and this will go away is hopelessly naieve.
Uh, thanks. The government has all kinds of property protection laws. My mail spool is my property. Do the math.
The spammers will go overseas.
Are they marketing products and goods sold domestically? Who cares where the spam came from if the numbskull is domestic?
The first option is a traditional "If you send me email and I don't know you, I'll bounce the message and you have to reply with a specially formatted mail message in order to get your mail through".
Whitelists are just another form of "no trespassing" property protection.
The pay-per-message system I proposed was an outgrowth of the "certificated" option.
First, nobody wants to pay $.02 to email grandma. They will pick up the phone instead. Second, nobody will send any emails that they don't have to, period. This will just drive Internet users away because of the cost rather than being driven away because of spam. Laws are a necessary first step and will have the most positive effect. Micropayments won't be needed if the right laws are passed. Given the history, the biggest problem with the legal approach is that congress will pass a bad law instead of the one they need to, which is to extend the TCPA to include spam. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Sat, 4 May 2002, Eric A. Hall wrote: > "Forrest W. Christian" wrote: > > Anyone who thinks that government can pass a law and this will go away > > is hopelessly naieve. > Uh, thanks. The government has all kinds of property protection laws. My > mail spool is my property. Do the math. Been there, done that, and it made no significant difference. Both J.D. Falk and I put a lot of work into getting tough anti-spam legislation passed, and we were successful. Here in California we now have jail time for second-offense spammers. Does it make a damned bit of difference? No. Was it worth trying? Yes, of course. The conclusion I came to at the time was that the bond-posting micropayment schemes were the only way out of the problem, and I haven't seen anything to change my mind on that since. Whitelists are too drastic, I think, but I'm slowly headed that way. -Bill
On Sat, 4 May 2002, Eric A. Hall wrote:
Uh, thanks. The government has all kinds of property protection laws. My mail spool is my property. Do the math.
Your car is your private property as well, but if you park it in a public place, with the engine running, and offer every passerby the opportunity to use it at no cost or obligation, "the government" is not going to help you get the car back when someone takes you up on your offer.
Laws are a necessary first step and will have the most positive effect. Micropayments won't be needed if the right laws are passed. Given the history, the biggest problem with the legal approach is that congress will pass a bad law instead of the one they need to, which is to extend the TCPA to include spam.
Yeah, another unenforceable law that nobody will give a shit about, except when it's time to pay for the [non-enforcing] "enforcement agents" (tax time). -- Yours, J.A. Terranson sysadmin@mfn.org If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... --------------------------------------------------------------------
On Sat, 4 May 2002, Eric A. Hall wrote:
First, nobody wants to pay $.02 to email grandma. They will pick up the phone instead. Second, nobody will send any emails that they don't have to, period. This will just drive Internet users away because of the cost rather than being driven away because of spam.
I'm talking strictly end-user to end-user payments here. The people in the middle would get *nothing* beyond what they are getting today. Grandma would get 2c for each mail she received. Grandma would pay 2c for each email she sent. Where does that cause the problems you are talking about? - Forrest W. Christian (forrestc@imach.com) AC7DE ---------------------------------------------------------------------- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/ Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 ---------------------------------------------------------------------- Protect your personal freedoms - visit http://www.lp.org/
"Forrest W. Christian" wrote:
Grandma would get 2c for each mail she received. Grandma would pay 2c for each email she sent. Where does that cause the problems you are talking about?
I send a lot more mail than grandma does. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
<facetious> Hey! Where's my reply? I'm in the hole $.04 on this thread now! Right! No more mail to you until you send me two messages! </facetious> Then we all move to some other medium that doesn't cost money -- and then the spammers follow us there too. "Eric A. Hall" wrote:
"Forrest W. Christian" wrote:
Grandma would get 2c for each mail she received. Grandma would pay 2c for each email she sent. Where does that cause the problems you are talking about?
I send a lot more mail than grandma does.
-- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Sat, 4 May 2002, Eric A. Hall wrote:
Grandma would get 2c for each mail she received. Grandma would pay 2c for each email she sent. Where does that cause the problems you are talking about?
I send a lot more mail than grandma does.
Yes, but even if you send one a day and she never responds, this only comes out to $7.30/year. Hey, I'm not saying this is perfect. I'm just saying that passing laws and filtering and depending on admins to do the "right thing" just doesn't work. Ask people in those states which have anti-spam laws how many fewer spam messages they receive than before. We need something else. It must be enforceable at the receiving side, and we must be able to step into it gradually. The best solution I've seen, thanks to someone else on the list, is camram, which makes you pay for the email sending with proving you have spent about 15 seconds worth of CPU cycles. In fact, I'm thinking this is probably a better solution than the pay-per-message solution, as we don't have to worry about settlement, etc. etc. which was the real problem with the pay-per-message. - Forrest W. Christian (forrestc@imach.com) AC7DE ---------------------------------------------------------------------- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/ Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 ---------------------------------------------------------------------- Protect your personal freedoms - visit http://www.lp.org/
"Forrest W. Christian" wrote:
Ask people in those states which have anti-spam laws how many fewer spam messages they receive than before.
Although responding to this message puts me back to -$.04, I will point out that the junk fax law worked pretty well. It didn't take long for people to get the point that they shouldn't be faxing lunchroom menus to everybody in their area code. The spam laws are geographically constrained and inconsistently interpreted. A federal law would have significantly greater impact. The camram stuff is a neat idea but IMO it is even less likely to succeed, since there isn't anybody with a financial incentive to make sure that it works and to drive the necessary adoptions. A micropayment option with a big backer at least has the chance to do things like pay email developers to add support for it. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Sat, May 04, 2002 at 07:22:35PM -0500, Eric A. Hall wrote:
Ask people in those states which have anti-spam laws how many fewer spam messages they receive than before.
Although responding to this message puts me back to -$.04, I will point out that the junk fax law worked pretty well. It didn't take long for people to get the point that they shouldn't be faxing lunchroom menus to everybody in their area code.
Faxes are a little bit easier to trace than email. The bottom line is, spamming makes money. People don't spam because they think that maybe it might work, they spam because it gets responses and it makes them money. Maybe one really stupid person gets prosecuted on an anti-spam law once, but it doesn't seem to be making much of an impact. If you beheaded 10 spammers on primetime TV I really don't think they would stop. Spamming will stop when it stops being effective. That said, I'm pretty sure this thread has now excercised my D key more then a month's supply of spam. Isn't it about time we called it a day, or perhaps moved this to a list more appropriate for complaining and sending email about people sending email. :) -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
On Sat, 4 May 2002, Richard A Steenbergen wrote:
Faxes are a little bit easier to trace than email.
Sometimes. If the faxer is identifying s/h/itself properly. -- Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net "The Indians are unfolding into the 2002 season like a lethal lawn chair." (_News-Herald_ Indians Columnist Jim Ingraham, April 11, 2002)
I want to clarify this a bit, before I get flamed (not that I'm not going to anyways). On Sat, 4 May 2002, Forrest W. Christian wrote:
The people in the middle would get *nothing* beyond what they are getting today.
Grandma would get 2c for each mail she received. Grandma would pay 2c for each email she sent. Where does that cause the problems you are talking about?
What I am *specifically* talking about is a situation where people who receive on average as many emails as they send don't pay ANYTHING above what they are paying now. We're trying to discourage bulk emailers, not individuals. - Forrest W. Christian (forrestc@imach.com) AC7DE ---------------------------------------------------------------------- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/ Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 ---------------------------------------------------------------------- Protect your personal freedoms - visit http://www.lp.org/
On Sat, 4 May 2002, Forrest W. Christian wrote:
We're trying to discourage bulk emailers, not individuals.
Then the way to do this is to make the cost of sending mass mail more expensive than sending only a few here and there. In short, we need a way to prevent the use of the $19.95 throw-away account that is used to send the vast majority of spam. Let's face it, only the biggest of the hardcore spammers are willing to pay out for dedicated lines. How about something along the lines of dial accounts having their outgoing SMTP connections rate limited to, oh, let's say 100 per day, and limiting the maximum number of recipients on any given email to some low number, say 5? A customer reaches the limit, the account auto-rejects all email for 24 hours. Someone bitches? Let them buy full rate dedicated services, with the first month, last month, and a security deposit up front before service is established. -- Yours, J.A. Terranson sysadmin@mfn.org If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... --------------------------------------------------------------------
On Sat, 4 May 2002 measl@mfn.org wrote:
How about something along the lines of dial accounts having their outgoing SMTP connections rate limited to, oh, let's say 100 per day, and limiting the maximum number of recipients on any given email to some low number, say 5?
A customer reaches the limit, the account auto-rejects all email for 24 hours.
Someone bitches? Let them buy full rate dedicated services, with the first month, last month, and a security deposit up front before service is established.
The problem with this is how do you enforce this across thousands of mail servers, controlled by many many different organizations? I'm not saying the pay-per-message option is perfect. In fact, the more I think about a camram-type solution the more I like it: where the sender proves to the recipient that they spent a fair bit of CPU time before sending the message. The bottom line is that in my opinion people need to give up *something* for the privlege of sending mail. I suggested a couple of cents per message. Others reject this as "it will destroy the net". Camram requires people to give up CPU cycles. This might be an easier thing to swallow. Passing laws and putting on filters don't work. Depending on each mail server admin to do the right thing doesn't work. We need to find something else that will. - Forrest W. Christian (forrestc@imach.com) AC7DE ---------------------------------------------------------------------- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/ Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 ---------------------------------------------------------------------- Protect your personal freedoms - visit http://www.lp.org/
On Sat, May 04, 2002 at 06:01:49PM -0600, Forrest W. Christian wrote:
On Sat, 4 May 2002 measl@mfn.org wrote: The bottom line is that in my opinion people need to give up *something* for the privlege of sending mail. I suggested a couple of cents per message. Others reject this as "it will destroy the net". Camram requires people to give up CPU cycles. This might be an easier thing to swallow.
this will work well for those of us who are trying to enable non-1st world communications. ever tried to source an 1Ghz processor in central africa? -- [ Jim Mercer jim@reptiles.org +1 416 410-5633 ] [ I want to live forever, or die trying. ]
On Sat, 4 May 2002, Forrest W. Christian wrote:
On Sat, 4 May 2002 measl@mfn.org wrote:
How about something along the lines of dial accounts having their outgoing SMTP connections rate limited to, oh, let's say 100 per day, and limiting the maximum number of recipients on any given email to some low number, say 5?
A customer reaches the limit, the account auto-rejects all email for 24 hours.
Someone bitches? Let them buy full rate dedicated services, with the first month, last month, and a security deposit up front before service is established.
The problem with this is how do you enforce this across thousands of mail servers, controlled by many many different organizations?
I'm not saying the pay-per-message option is perfect. In fact, the more I think about a camram-type solution the more I like it: where the sender proves to the recipient that they spent a fair bit of CPU time before sending the message.
It doesn't scale to those who source lots of email, like mailing lists or webmail providers. It also has its own set of problems that are much much worse, if its enabled by default on users: -- [1] User (to ISP): ``Why does getting mail from NANOG never seem to work.'' Response: ``Because you haven't enabled them in the no-pay list.'' [2] User (to mailing list admin): ``Whenever I try to subscribe, I don't get a confirmation message.'' Response: ``Because you haven't enabled them in the no-pay list.'' [3] User (to ISP): ``Why does email from grandma never get through.'' Response: ``Because their email client doesn't support CAMRAM and you haven't enabled them in the no-pay list.'' [4] User (to ISP): ``Why does email to grandma never get through.'' Response: ``You need a CAMRAM-aware email client. Switch from MS-Outlook to Mutt.'' -- I dunno, but I'd think that the tech-support manpower for this would be pricy, especially if you get a phone call everytime a user tries to subscribe to mailing list. Spam sucks... But, these alternatives seem like they'd be a lot more expensive for ISP's.
The bottom line is that in my opinion people need to give up *something* for the privlege of sending mail. I suggested a couple of cents per message. Others reject this as "it will destroy the net". Camram requires people to give up CPU cycles. This might be an easier thing to swallow.
Imagine a requirement that you had to listen to 30 seconds of muzak before every telephone call. Somewhere in the 30 seconds would be a 4 digit number you'd have to type in in order to complete the call. This is done to make sure people ``give up *something* for the privlege of'' making a telephone call. Why is this done, other than to discourage people from making telephone calls? Dunno.. Are telephone calls something we need to discourage?
Passing laws and putting on filters don't work. Depending on each mail server admin to do the right thing doesn't work. We need to find something else that will.
I hope so too.. But sender-pays isn't true for postal mail or telephone. If I get a junk mail, I have to waste time *and* pay to have it carted to a landfill. If I get a phone-spam, I have to waste time. In ways, it seems like this is trying to force email into the idealized mold of postal mail. A mold that never really existed in the first place. This is impossible in any case as email isn't postal mail. Where is the analogy of NANOG for postal mail? A weekly newsletter? That newsletter would be what? $.35/issue, or $350/week if it had a readership of 1000. How much cheaper is NANOG to run than what that newsletter would cost? We could make a NANOG posting cost $20/message for sender-pays, but do we want to sacrifice mailing lists on the alter of fitting a square peg into a circular hole? Scott
On Sat, 4 May 2002, Forrest W. Christian wrote:
Passing laws and putting on filters don't work. Depending on each mail server admin to do the right thing doesn't work. We need to find something else that will.
Define "doesn't work"? Yes there is still spam - but the laws are in all cases relatively new (even on a technology timeline) and far from universal. None of these solutions is going to work overnight. The large amount of spam that people are filtering/bouncing at this point proves that they are far better than nothing. What might work, instead of setting up a micropayments system (would take years) or convincing the 'net to adopt a Camram type system (might not take as long, but it wouldn't happen anytime soon) is to set up a reliable, centralized blacklist/filter provider, and to enact and enforce anti UCE laws on a national basis. For the filters to work, they have to have a certain critical mass, in terms of users or sources to key into spam. If you're talking about expending all the energy to coordinate and set up the above, why not instead lobby for a federal law, and enforcement of that law, along with a centralized and well admin'd blacklist (who's operations would be funded in part by proceeds from enforcement of antispam laws). The point that the spammers would just go overseas was well answered by the fact that generally (not always, but in a huge % of the cases) there is a US based contact for selling the stuff. Spam has always been a problem - but it's become much more of a problem in the last 18 months. People dislike it - but I would be willing to bet the average person on this list gets more / has stronger feelings on / etc spam than the average public. The problem will get worse before it gets better - but I think it could be argued that the tools that are being developed now (filters, blacklists, etc) are the least intrusive, disruptive and most practical of the three options. I think the other thing that has to happen, which hasn't reliably yet, is that the large providers have to be better about cutting off spammers and isp's that support them. Run an open relay? Your immediate upstream is notified, and if they can't get you to fix it, _they_ black hole it till you do. That would get your attention and stop the spam. I'm interested that (as far as I've seen) there hasn't been much talk in this thread yet about the larger networks' role in the enforcement side of this. Whatever happens, it's going to take time to make work - more time than the current (possibly stopgap) measures have been given.
ben hubbard wrote:
why not instead lobby for a federal law, and enforcement of that law, along with a centralized and well admin'd blacklist (who's operations would be funded in part by proceeds from enforcement of antispam laws).
Actually, a well-written law wouldn't need funding. MAPS could make a decent income by filing class-action suits against spammers, for example. No reason for the government to get involved other than holding court. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Sat, 4 May 2002, Forrest W. Christian wrote:
On Sat, 4 May 2002 measl@mfn.org wrote:
How about something along the lines of dial accounts having their outgoing SMTP connections rate limited to, oh, let's say 100 per day, and limiting the maximum number of recipients on any given email to some low number, say 5?
A customer reaches the limit, the account auto-rejects all email for 24 hours.
Someone bitches? Let them buy full rate dedicated services, with the first month, last month, and a security deposit up front before service is established.
The problem with this is how do you enforce this across thousands of mail servers, controlled by many many different organizations?
Obviously, it is a self-enforcement issue, aimed at the ISPs who do sial services. I firmly believe that if we could control the dial accounts in this respect, we'd wipe out a very large portion of the problem children The incentive to the ISP is obvious: $19.95 throw away accounts (which are likely not paid anyway) disappear, their SpamCop nightmares disappear, and the legitimate mass mail customer pays for commercial services.
I'm not saying the pay-per-message option is perfect.
I am a fan of micropayments in theory, but I do not believe that they can ever be applied to email, attractive though it may be. Since I don't believe it's really possible, I choose not to burn cycles on it. <snip>
The bottom line is that in my opinion people need to give up *something* for the privlege of sending mail.
Agreed: to send it for free, they lose the right to do it in significant volume.
I suggested a couple of cents per message. Others reject this as "it will destroy the net". Camram requires people to give up CPU cycles. This might be an easier thing to swallow.
Possibly, but I doubt that you can explain this to Joe and Jane Sixpack.
Passing laws and putting on filters don't work.
Amen.
Depending on each mail server admin to do the right thing doesn't work.
The problem here is defining "the right thing", no?
We need to find something else that will.
Agreed.
- Forrest W. Christian (forrestc@imach.com) AC7DE
-- Yours, J.A. Terranson sysadmin@mfn.org If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... --------------------------------------------------------------------
On Sat, May 04, 2002 at 06:01:49PM -0600, forrestc@imach.com said: [snip]
Passing laws and putting on filters don't work. Depending on each mail server admin to do the right thing doesn't work. We need to find something else that will.
I'm beginning to think that fighting the spam itself is futile. What we should perhaps be focusing on is removing access to whatever is being spamvertised (frequently a get-rich-quick website, porn site, diet site, etc. - but generally a website somewhere, that can have the plug pulled). Most of the discussion so far has focused on fighting the spam, but most of the methods feel a bit akin to moving an object tied to a rope by pushing the rope. I may get 15 spams from 15 different originating points, with 15 different headers, but they will frequently _all_ be advertising the same site or service. Wouldn't it be simpler to focus efforts on cutting off service to whatever is being spamvertised? It's the single link in the chain that, if cut, will take away the point of the spam. Thinking out loud here ... I realize there are problems (free/throwaway hosting, non-responsive network/hosting providers in other parts of the world, etc. etc.), but I think focusing on removing the motivation for the spam would be easier than trying to stop spam directly. -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
On Mon, 6 May 2002, Scott Francis wrote:
On Sat, May 04, 2002 at 06:01:49PM -0600, forrestc@imach.com said: [snip]
Passing laws and putting on filters don't work. Depending on each mail server admin to do the right thing doesn't work. We need to find something else that will.
I'm beginning to think that fighting the spam itself is futile. What we should perhaps be focusing on is removing access to whatever is being spamvertised (frequently a get-rich-quick website, porn site, diet site, etc. - but generally a website somewhere, that can have the plug pulled).
Actually, my analysis of spam seems to indicate authentication of remote SMTP servers through a process similar to joining this list would remove 99+% of SPAM. i.e. the first email from a particular remote server that is received, requires the sender to take some action (respond with a password, click on a URL, etc.) before the mail gets through. One of these days I hope to write the procmail rules to do it (if I don't find someone that has done it already) -Ralph
On Mon, May 06, 2002 at 07:31:47PM -0400, Ralph Doncaster wrote:
Actually, my analysis of spam seems to indicate authentication of remote SMTP servers through a process similar to joining this list would remove 99+% of SPAM. i.e. the first email from a particular remote server that is received, requires the sender to take some action (respond with a password, click on a URL, etc.) before the mail gets through. One of these days I hope to write the procmail rules to do it (if I don't find someone that has done it already)
Such a beast lives already: Tagged Message Delivery Agent. http://software.libertine.org/tmda/ Yours, Luca -- Luca Filipozzi, ECE Dept. IT Manager, University of British Columbia Office: MacLeod 257 Voice: 604.822.3976 Web: www.ece.ubc.ca/~lucaf gpgkey 5A827A2D - A149 97BD 188C 7F29 779E 09C1 3573 32C4 5A82 7A2D
On Mon, 6 May 2002, Ralph Doncaster wrote:
Actually, my analysis of spam seems to indicate authentication of remote SMTP servers through a process similar to joining this list would remove 99+% of SPAM. i.e. the first email from a particular remote server that is received, requires the sender to take some action (respond with a password, click on a URL, etc.) before the mail gets through. One of these days I hope to write the procmail rules to do it (if I don't find someone that has done it already)
Tagged Message Delivery Agent. http://software.libertine.org/tmda/ - Forrest W. Christian (forrestc@imach.com) AC7DE ---------------------------------------------------------------------- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/ Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 ---------------------------------------------------------------------- Protect your personal freedoms - visit http://www.lp.org/
On Mon, 06 May 2002 19:31:47 EDT, Ralph Doncaster said:
99+% of SPAM. i.e. the first email from a particular remote server that is received, requires the sender to take some action (respond with a
And the mailing list you just subscribed to clicks on the URL *how*? Across the hall we got a large Sun box that does some 2M POP3 checks per week, for a 70K+ user community. Explain how your scheme works in that environment.... OK.. said throw-away dialup tosses one piece of mail, has a little proggie that catches the response and automates the reply, and then proceeds to spam my 70K users. Wow, that slowed them down a lot. ;)
On Mon, 6 May 2002, Scott Francis wrote:
On Sat, May 04, 2002 at 06:01:49PM -0600, forrestc@imach.com said: [snip]
Passing laws and putting on filters don't work. Depending on each mail server admin to do the right thing doesn't work. We need to find something else that will.
I'm beginning to think that fighting the spam itself is futile. What we should perhaps be focusing on is removing access to whatever is being spamvertised (frequently a get-rich-quick website, porn site, diet site, etc. - but generally a website somewhere, that can have the plug pulled).
The major problem I see with this is the need to verify that the spamvertised site actually requested or paid for the spam. After all, what's to prevent me from spamming in the name of xyz.com just so I can see them shutdown? More importantly, you need evidence to shut a customer and being spamvertised alone is not necessarily sufficient. -Mike
On Tue, May 07, 2002 at 01:13:34AM -0400, Mike Joseph wrote:
The major problem I see with this is the need to verify that the spamvertised site actually requested or paid for the spam. After all, what's to prevent me from spamming in the name of xyz.com just so I can see them shutdown? More importantly, you need evidence to shut a customer and being spamvertised alone is not necessarily sufficient.
Just to say that this is not hypothetical, before we eventually got permanently whitelisted on spamcop, I would routinely get spamvertised website complaints on open source projects hosted on sourceforge.net Spammers would either list open source projects URLs in their spams for various reasons, or the spam would contain the URL of an open source project (like razor.sourceforge.net, squirrelmail.org, or something like that) The most distressing part is that all those reports were supposedly reviewed and approved by humans before being sent. Sigh... Marc -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key
On Tue, May 07, 2002 at 01:13:34AM -0400, mjoseph@netaxs.com said: [snip]
The major problem I see with this is the need to verify that the spamvertised site actually requested or paid for the spam. After all, what's to prevent me from spamming in the name of xyz.com just so I can see them shutdown? More importantly, you need evidence to shut a customer and being spamvertised alone is not necessarily sufficient.
Obviously, there is still a need for some investigation during the spam tracking process. I'm sure this kind of thing happens, but I think the vast majority of spamvertised sites really are the source of the spam. It goes without saying that there is no substitute for clue, both in the spam fighting arena and elsewhere.
-Mike
-- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
Hey all! I want to first thank all of you that responded to my request about providers for IP VPN services with more of a focus on just ISP service as we will be doing CPE based VPN. Now I'm finalizing these proposals, I'd be interested to know what you all would recommend seeing in your SLAs and what you missed if you have one now, especially things you WISH you'd have put in there. Caveats on certain providers would be helpful to know too. Things I'm interested in are, but not limited to: 1. Per circuit (not aggregate) SLA 2. Latency - <60ms end-to-end 3. MTTR (Mean Time To Repair) not respond 4. Cause for disconnect with-out penalty 5. Credit levels for outages 6. Maximum outages per circuit 7. When does and outage start, when customer reports it, when it goes down, etc. 8. Are ARC (Annual Revenue Commitments) good ideas or bad? 9. Reasonable up-time 10. Managing the local-loop in the SLA 11. Definition of "end-to-end" (PoP to PoP, CPE to CPE, etc.) 12. How is latency measured (aggregate over 30 days, daily, etc.) 13. Proactively manage outages (most are local-loop issues anyway) 14. Provisioning guarantees (give me something if you can't get it in and your waiving the install charges so that's no good). 15. "Outs" in the contract for SLA violations. 15a. Poor service, can we terminate contract for violations, and how many. 15b. Do same discounts apply if ARC is not met because of service disconnects due to non-performance? and anything else ANY of you can provide would be very much appreciated. One other questions is, is it possible/effective to use the vendor's SLA and have addendums to state our requests and needs? Then, in the SLA be able to state that what ever is better for the customer (should the provider "upgrade" their SLA) will be what the provider is held to up-hold in their SLA? Hope that's understandable. Thank you for your time! - Darrell ====================================================================== Darrell Kristof, Network Manager/Team Leader Whole Foods Market, Corporate Offices E-Mail: darrell.kristof@wholefoods.com
The only way to catch and stop spammers is with horsepower and proactive mail policies. Sendmail is capable of being configured in a rigid manner and filters put in place, the problem is that most system hacks are not capable enough to manage the overhead of enforcing a filtration rule on each piece of mail because of the complexity. What's needed is a turn-key solution really. Non of us want to have to play with email gateways and reception agents if we don't have to (well ok, so its only most of us...). For instance, we got a boatload of bad email last week locally at one of the local SF Bay Area University's I do work with, and our entire email gateway was shutdown dealing with actively filtering 3000 emails that had a contaminated attachment. The problem with email filters is that they are not smart. The cant tell you when they see 5 pieces of email that all have a bad return or source address/name and that have a contaminated attachment, that all came from the same place that they should create and manage their own little blacklist file... I also suggest that running sendmail on a single host is a mistake or any mail system for that matter. I have ours setup on a reception agent system which timestamps and logs all the email into a queue. The queue has a stand-alone engine that qualifies each piece of email and checks any attachments for evilness. Each stage also sends a response to the sender acknowledging receipt if "Receipts are requested" and the whole system works pretty well. The whole system cost less than 15K to put in place and is essentially 5 different computers all of which happen to be implemented on a SBC we have so the entire system fits into a single PCI based computer's footprint. If anyone is interested in the exact setup - email me offlist and we can continue this conversation. Todd Glassey, CTO ServerWerks Inc. http://www.serverwerks.cc ----- Original Message ----- From: <measl@mfn.org> To: "Forrest W. Christian" <forrestc@imach.com> Cc: "Eric A. Hall" <ehall@ehsco.com>; <nanog@nanog.org> Sent: Saturday, May 04, 2002 4:33 PM Subject: Re: anybody else been spammed by "no-ip.com" yet?
On Sat, 4 May 2002, Forrest W. Christian wrote:
We're trying to discourage bulk emailers, not individuals.
Then the way to do this is to make the cost of sending mass mail more expensive than sending only a few here and there. In short, we need a way
prevent the use of the $19.95 throw-away account that is used to send the vast majority of spam. Let's face it, only the biggest of the hardcore spammers are willing to pay out for dedicated lines.
How about something along the lines of dial accounts having their outgoing SMTP connections rate limited to, oh, let's say 100 per day, and limiting
to the
maximum number of recipients on any given email to some low number, say 5?
A customer reaches the limit, the account auto-rejects all email for 24 hours.
Someone bitches? Let them buy full rate dedicated services, with the first month, last month, and a security deposit up front before service is established.
-- Yours, J.A. Terranson sysadmin@mfn.org
If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics.
The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... --------------------------------------------------------------------
We're trying to discourage bulk emailers, not individuals.
Then the way to do this is to make the cost of sending mass mail more expensive than sending only a few here and there. In short, we need a way to prevent the use of the $19.95 throw-away account that is used to send the vast majority of spam. Let's face it, only the biggest of the hardcore spammers are willing to pay out for dedicated lines. How about something along the lines of dial accounts having their outgoing SMTP connections rate limited to, oh, let's say 100 per day, and limiting the maximum number of recipients on any given email to some low number, say 5? A customer reaches the limit, the account auto-rejects all email for 24 hours. Someone bitches? Let them buy full rate dedicated services, with the first month, last month, and a security deposit up front before service is established.
Now there's a good idea, and it works, I have several sites running a "port 25" trap to stop smtp abuse. To stop port 25 abuse at some schools, the firewall grabs all outgoing port 25 connections from !"the mail server", and to !"the mail server", and runs then via "the mail server", which stops header forging, mass rcpt to: abuse, and vrfy/expn probing. Anything that goes past the filters has a nice clear and traceable received by: line. If a few of the larger pre-paid isp's could simply filter port 25 on their accounts, add some sanity checking (like, a user must be using a valid email address in the from:/return-path:/reply-to: lines, etc) and reject other abuse like rcpt to: stacking. Plus, add a anti-bulk email check, like razor or checksum clearinghouse, (yeah, seriously, checksum the outgoing emails, if some humans somewhere have said "this is spam", then /dev/null or BOUNCE the outgoing email.) I'd even be inclined to place these filters at the border to smaller downstream isp's, let them register their valid email domains, any user from their network trying to send invalid email, or email that is listed in razor, just kill it or auto-refer to the abuse desk. [This may sound expensive, but on reflection, a US$2K box with BSD could handle 20Mbps of port 25, remember only port 25, nothing else, you would place one behind your dial up infrastructure, or several for a large site, and your "transparent smtp proxy" would pay for itself by killing off a lot of your abuse@ work. There was many ways of redirecting the port 25 packets, have a look at all the good work done on port 80 transparent proxies.] // :), patent pending? No, the concept is hereby commited to the public domain. // --- Terence C. Giufre-Sweetser +---------------------------------+--------------------------+ | TereDonn Telecommunications Ltd | Phone +61-[0]7-32369366 | | 1/128 Bowen St, SPRING HILL | FAX +61-[0]7-32369930 | | PO BOX 1054, SPRING HILL 4004 | Mobile +61-[0]414-663053 | | Queensland Australia | http://www.tdce.com.au | +---------------------------------+--------------------------+
On Fri, May 10, 2002 at 11:27:10AM +1000, Terence Giufre-Sweetser wrote:
Now there's a good idea, and it works, I have several sites running a "port 25" trap to stop smtp abuse.
To stop port 25 abuse at some schools, the firewall grabs all outgoing port 25 connections from !"the mail server", and to !"the mail server", and runs then via "the mail server", which stops header forging, mass rcpt to: abuse, and vrfy/expn probing. Anything that goes past the filters has a nice clear and traceable received by: line.
If a few of the larger pre-paid isp's could simply filter port 25 on their accounts, add some sanity checking (like, a user must be using a valid email address in the from:/return-path:/reply-to: lines, etc) and reject other abuse like rcpt to: stacking. Plus, add a anti-bulk email check, like razor or checksum clearinghouse, (yeah, seriously, checksum the outgoing emails, if some humans somewhere have said "this is spam", then /dev/null or BOUNCE the outgoing email.)
I'd even be inclined to place these filters at the border to smaller downstream isp's, let them register their valid email domains, any user from their network trying to send invalid email, or email that is listed in razor, just kill it or auto-refer to the abuse desk.
[This may sound expensive, but on reflection, a US$2K box with BSD could handle 20Mbps of port 25, remember only port 25, nothing else, you would place one behind your dial up infrastructure, or several for a large site, and your "transparent smtp proxy" would pay for itself by killing off a lot of your abuse@ work. There was many ways of redirecting the port 25 packets, have a look at all the good work done on port 80 transparent proxies.]
// :), patent pending? No, the concept is hereby commited to the public domain. //
Earthlink was doing this for basically all of their consumer-grade (dialup, most of the ADSL, etc) customers in 1999 (well, almost certainly earlier than that, but I can only personally speak to it being in place then). It doesn't stop absolutely everything, but it's a very good 95% first pass filter. Don't forget to allocate support queue time for explaining to folks why they can't do SMTP relaying through their other provider where they have a hosting account, though... (Business customers were exempted, but paid hefty setup fees and monthly fees, and if I recall the contract correctly, forfeited all of them for AUP violations, which explicitly included UCE). Keeping the filters up to date is often a painful excercise in assignment coordination testing, too... -- *************************************************************************** Joel Baker System Administrator - lightbearer.com lucifer@lightbearer.com http://users.lightbearer.com/lucifer/
--On Thursday, May 9, 2002 8:26 PM -0600 Joel Baker <lucifer@lightbearer.com> wrote:
Earthlink was doing this for basically all of their consumer-grade (dialup, most of the ADSL, etc) customers in 1999 (well, almost certainly earlier than that, but I can only personally speak to it being in place then). It doesn't stop absolutely everything, but it's a very good 95% first pass filter. Don't forget to allocate support queue time for explaining to folks why they can't do SMTP relaying through their other provider where they have a hosting account, though...
My customers who reach me (a mail service) from Earthlink dialups are affected by this. Apparently it's still happening. I run a listener on another host and port, known only to this (so far) small subset of people, to be able to serve them. In general, we advise people to use their ISP's relay for outgoing mail, but Earthlink won't let them relay because the sender domain is not one that Earthlink knows about (i.e. is charging them for). Apparently. In principle, I endorse this practice. It seems to reduce abuse, which is all to the good. But in practice, it creates a problem I have to solve. Is there a way for these unfortunate people to register other domains with Earthlink as "outbound relay only"?
Jim Hickstein wrote:
My customers who reach me (a mail service) from Earthlink dialups are affected by this. Apparently it's still happening. I run a listener on another host and port, known only to this (so far) small subset of people, to be able to serve them. In general, we advise people to use their ISP's relay for outgoing mail, but Earthlink won't let them relay because the sender domain is not one that Earthlink knows about (i.e. is charging them for). Apparently.
Something's weird here. My home DSL line is Earthlink. I send out mail through their server (specifically through smtp.mindspring.com), and I have my mail client cofigured to use my yahoo.com address as the return address. They don't seem to care about the message's sender address as long as it comes from an Earthlink link. Is the dial-up any different? Now, I do know that I can't send through the Earthlink/Mindspring server from outside their network. But that's not a big deal for me. When I'm away from home, I just use the server of whatever network I'm connected to at the time, which has never given me a problem. I think Earthlink has an SMTP-AUTH mail server as well. It's not the same one that the default dialups use, however. I think it's smtpauth.earthlink.com, but I haven't actually tried using it. -- David
On Fri, 10 May 2002, David Charlap wrote:
Jim Hickstein wrote:
My customers who reach me (a mail service) from Earthlink dialups are affected by this. Apparently it's still happening. I run a listener on another host and port, known only to this (so far) small subset of people, to be able to serve them. In general, we advise people to use their ISP's relay for outgoing mail, but Earthlink won't let them relay because the sender domain is not one that Earthlink knows about (i.e. is charging them for). Apparently.
Something's weird here.
My home DSL line is Earthlink. I send out mail through their server (specifically through smtp.mindspring.com), and I have my mail client cofigured to use my yahoo.com address as the return address. They don't seem to care about the message's sender address as long as it comes from an Earthlink link.
Not weird, this is the way most smtps are setup - not to verify sender address but only allow the ISP's IP addresses. (this is how not to be an open relay server which spammers use..) Steve
Is the dial-up any different?
Now, I do know that I can't send through the Earthlink/Mindspring server from outside their network. But that's not a big deal for me. When I'm away from home, I just use the server of whatever network I'm connected to at the time, which has never given me a problem.
I think Earthlink has an SMTP-AUTH mail server as well. It's not the same one that the default dialups use, however. I think it's smtpauth.earthlink.com, but I haven't actually tried using it.
-- David
On Fri, May 10, 2002 at 11:27:10AM +1000, Terence Giufre-Sweetser wrote:
Now there's a good idea, and it works, I have several sites running a "port 25" trap to stop smtp abuse.
To stop port 25 abuse at some schools, the firewall grabs all outgoing port 25 connections from !"the mail server", and to !"the mail server", and runs then via "the mail server", which stops header forging, mass rcpt to: abuse, and vrfy/expn probing. Anything that goes past the filters has a nice clear and traceable received by: line.
I'm not sure what's so swell with this. I require SMTP AUTH over SSL with STARTTLS (exclusively), and this nice little hijack scheme makes for great support calls. They steal the SMTP connection, and then are enable to provide the SSL connection and our server certificate (obviously), so the connection fails. Yes, the "solution" is to pick a different non standard port, which comes with its own set of problems (not counting mail clients that are unable to use a different port), but I'd much rather that they do not hijack my client connections (blocking open relays and DUL IPs works just fine if you choose/need to do that) Marc -- Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key
First, nobody wants to pay $.02 to email grandma. They will pick up the phone instead. Second, nobody will send any emails that they don't have to, period. This will just drive Internet users away because of the cost rather than being driven away because of spam.
sounds a bit like www.vanqish.com . But other than that, how would it work for mailing lists like this one? -- ------- jullrich@sans.org Join http://www.DShield.org Distributed Intrusion Detection System
On Sat, 4 May 2002, Johannes B. Ullrich wrote:
sounds a bit like www.vanqish.com . But other than that, how would it work for mailing lists like this one?
My solution to this would be for people to be able to select certain senders as not being charged. - Forrest W. Christian (forrestc@imach.com) AC7DE ---------------------------------------------------------------------- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/ Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 ---------------------------------------------------------------------- Protect your personal freedoms - visit http://www.lp.org/
sounds a bit like www.vanqish.com . But other than that, how would it work for mailing lists like this one?
My solution to this would be for people to be able to select certain senders as not being charged.
... which leads to the same problems every e-postage scheme does: * It swaps the current set of problems for an all-new and quite possibly worse set of problems, as bad guys come up with ways to scam the per-message payment system. Just think, get infected with e-payment klez via your fast always-on DSL connection, come back the next day and find that it's sent 50,000 messages so it's spent $1,000 of your money. If you waive fees for virus victims, every spammer's going to claim a virus did it. And maybe a virus really did do it, it's the obvious way to send spam with someone else's stamps. * It turns every ISP into a bank. ISPs don't have the expertise to be banks, nor can they afford the financial exposure. What are you going to do when 10 of your users get e-klez, refuse to pay the postage that the virus stole, and leave you holding a $10K bag? * Nobody in the world has the faintest idea how you could implement 2 cent payments fast and cheap enough to use to pay for e-mail. If you're serious about e-postage, could you let us know what your solutions to these problems are? You may have insights that the rest of us don't, but we'll never know if you don't tell us. Regards, John Levine, postmaster@iecc.com, postmaster@gurus.com, postmaster@services.net (and postmaster of about 100 other domains) PS: Anti-spam laws aren't going to solve everything, but the TCPA made a whole lot more difference to the junk fax problem than any set of phone line filters.
In the immortal words of John R. Levine (johnl@iecc.com):
* It swaps the current set of problems for an all-new and quite possibly worse set of problems, as bad guys come up with ways to scam the per-message payment system. Just think, get infected with e-payment klez via your fast always-on DSL connection, come back the next day and find that it's sent 50,000 messages so it's spent $1,000 of your money. If you waive fees for virus victims, every spammer's going to claim a virus did it. And maybe a virus really did do it, it's the obvious way to send spam with someone else's stamps.
I'm not sure that would be a bad thing in the long run. You know what _I_ would do if I were a smart lawyer and heard about a bunch of people that this had happened to? I'd file a class-action liability suit against Microsoft for selling a defective product that lost my clients thousands of dollars. I suspect I'd have a good chance of winning, too.
* It turns every ISP into a bank.
Mmmmm...not necessarily. It certainly creates a market for companies to provide outsourcing of e-postage metering and collection for ISPs, and as such it would add to ISPs' overhead costs. Would it add more than the overhead cost of dealing with current spam loads? Maybe. Would it add more than the overhead cost of dealing with a 90% spam load, which we _will_ see in the next 5 years? I doubt it.
ISPs don't have the expertise to be banks, nor can they afford the financial exposure. What are you going to do when 10 of your users get e-klez, refuse to pay the postage that the virus stole, and leave you holding a $10K bag?
Sue Microsoft for $10k plus time, aggravation and punitive damages. :)
* Nobody in the world has the faintest idea how you could implement 2 cent payments fast and cheap enough to use to pay for e-mail.
Here, unfortunatly, is the real problem. Everybody has been saying that micropayments are a great idea for 4+ years now, but nobody has a working implementation that could possibly come close to scaling to "everyone who uses SMTP, all the time."
PS: Anti-spam laws aren't going to solve everything, but the TCPA made a whole lot more difference to the junk fax problem than any set of phone line filters.
Agreed. -n ------------------------------------------------------------<memory@blank.org> "Thus do `Snuff Movies' take their place with `Political-Correctness,' `Sex Addiction,' and `Postmodernism' as Godzillas of bogus moral panic, always threatening to crush the nation in their jaws, but never quite willing to take the final step of biting down. (--www.suck.com) <http://blank.org/memory/>----------------------------------------------------
On Sun, 05 May 2002 18:15:15 EDT, "Nathan J. Mehl" <memory-nanog@blank.org> said:
people that this had happened to? I'd file a class-action liability suit against Microsoft for selling a defective product that lost my clients thousands of dollars.
I suspect I'd have a good chance of winning, too.
EULA. Computer software is unique in that not only are the producers not held liable for defects, but quite often manage to avoid any of the usual "suitability for purpose" requirements - there is a presumption that (for instance) a toaster is supposed to be able to actually toast a piece of bread - and that therefore any toaster that is unable to do so is inherently defective *and it's the vendor's problem to make it right*, whether via replacement, repair, or refund. Quite often, vendors of software manage to disclaim even the requirement that a word processor be able to process text, etc.
In the immortal words of Valdis.Kletnieks@vt.edu (Valdis.Kletnieks@vt.edu):
On Sun, 05 May 2002 18:15:15 EDT, "Nathan J. Mehl" <memory-nanog@blank.org> said:
people that this had happened to? I'd file a class-action liability suit against Microsoft for selling a defective product that lost my clients thousands of dollars.
I suspect I'd have a good chance of winning, too.
EULA.
Absent the passage of an SPCCA-esque Federal law, the enforceability of EULAs in the face of actual, quantifiable financial damage is untested at best, farcical at worst. This is, of course, entirely non-operational in content, so I'd like to take this moment to remind the list of the presence of: nanog-offtopic@lists.blank.org Send email to nanog-offtopic-subscribe@lists.blank.org to be added to the list. Only you can prevent endless non-operational digressions on nanog@merit.edu! -n -------------------------------------------------------------<memory@blank.org> "I used to think that the brain was the most wonderful organ in my body. Then I realized who was telling me this." (--Emo Phillips) <http://blank.org/memory/>-----------------------------------------------------
On Sat, 4 May 2002, Eric A. Hall wrote:
Anyone who thinks that government can pass a law and this will go away is hopelessly naieve.
Uh, thanks. The government has all kinds of property protection laws. My mail spool is my property. Do the math.
Indeed, the courts have already ruled that an ISP has a right to tell a spammer to sod off. -- Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net "The Indians are unfolding into the 2002 season like a lethal lawn chair." (_News-Herald_ Indians Columnist Jim Ingraham, April 11, 2002)
On Sat, 4 May 2002, Forrest W. Christian wrote:
Anyone who thinks that government can pass a law and this will go away is hopelessly naieve. The spammers will go overseas. Besides, if you look
The spammers already use non-US machines in various ways to disguise their (still predominately) US origin.
been reported to the razor. rbldns lists are effective only against the worst offenders, as the rest don't get reported until it is too late. and so on.
Hrm, I'm thinking that the focus is slightly off (ie, rejection doesn't have to occur solely at the message delivery stage); assuming that you had custom software, you could conceiveably get a real time feed of spam/open relays/other criteria and periodically check your mail that-you-have-received-but-not-yet-read against any new updates to further get rid of more spam. If you've got a few million subscribers who would be further annoyed at spam/your abuse desk in receiving spam, this would possibly be productive.
I think the only other methods I can think of are best described as some sort of "web of trust" type method. These are essentially whitelist systems. In order to send me mail you have to *do* something.
How long before mailing list exploders are forced to only accept pgp-signed/encrypted mail from its subscribers, and re-pgp-sign/encrypt it when sending to subscribers ? --==-- Bruce.
On Fri, 3 May 2002, Gregory Hicks wrote:
money. Today with flat rate access and many people not paying on a per packet basis it seems to me that the responsibility lies with the end user to filter properly and or dress that delete key. I always shut [...snip...]
The problem with this is that, yes, to the END USER, there is no direct cost involved.
However, in order to maintain the same level of service, the ISP is forced to go get a bigger pipe and/or bigger, faster routers and/or servers. (Raises prices a bit per account)
Yes, I've always said that the costs MUST be looked at in the aggregate.
In all of this, the bozo (well..., 'user' really)
no, 'bozo' is appropriate. -- Steve Sobol, CTO (Server Guru, Network Janitor and Head Geek) JustThe.net LLC, Mentor On The Lake, OH 888.480.4NET http://JustThe.net "The Indians are unfolding into the 2002 season like a lethal lawn chair." (_News-Herald_ Indians Columnist Jim Ingraham, April 11, 2002)
participants (29)
-
ben hubbard
-
Bill Woodcock
-
Bruce Campbell
-
Darrell Kristof
-
David Charlap
-
Eric A. Hall
-
Forrest W. Christian
-
Gregory Hicks
-
Jim Hickstein
-
Jim Mercer
-
jlewis@lewis.org
-
Joel Baker
-
Johannes B. Ullrich
-
johnl@iecc.com
-
Luca Filipozzi
-
Marc MERLIN
-
measl@mfn.org
-
Mike Joseph
-
Nathan J. Mehl
-
Ralph Doncaster
-
Richard A Steenbergen
-
Scott A Crosby
-
Scott Francis
-
Stephen J. Wilcox
-
Steven J. Sobol
-
Terence Giufre-Sweetser
-
todd glassey
-
Valdis.Kletnieks@vt.edu
-
william@elan.net