Re: SMTP authentication for broadband providers
To attack spam, we need to attack it at its core, not at some secondary or tertiary side-effect, with a mechanism that also hurt legitimate users.
We, as network operators don't need to attack spam. We need to ignore spam itself and get to work securing the network that enables spammers to do their dirty work.
Unless and until there is broad community consensus that answers that question in concrete and practical terms, then all our efforts are losing and stop-gap.
From recent conversations on the list it appears that the BCPs for email include using the submission protocol for all end-user sending of email. But I would like to see this go a step further and require SMTP AUTH for every single SMTP session on port 25 as well. That means that AOL's mailservers would have to authenticate their sessions on Hotmail's servers before sending email and vice versa. It means that you cannot operate a mailserver without having a bilateral agreement in
I wouldn't go quite so far as that. Yes, broad consensus of the network operator community would help us to secure the architecture of the email system. That's why I have suggested that large email operators should be meeting regularly in a forum where they can discuss and agree upon *BEST PRACTICES*. But it also helps for people to implement best practices in a piecemeal fashion because that provides the real-world operational experience to prove that a particular practice is feasible. place with some set of email peers. It provides a chain of trust through those bilateral agreements that makes it easier to block SPAM and catch spammers. Yes, this probably means that we need to have some DNS related changes so that a domain can publish a list of their email peers and so that MTA software can figure out where to forward a particular email to reach its destination. But none of this is rocket science. And all of it could be accomplished by sitting the major email operators around a table to hash it out. NANOG could help here by devoting the next meeting to the various technical operational email issues and by extending to an additional day for the email operators forum. There is plenty of BCP material that could be presented and even though some of the operators like AOL have presented this in the past, an update would be useful to a lot of us. --Michael Dillon
On Fri, 13 Feb 2004 11:05:16 GMT, Michael.Dillon@radianz.com said:
go a step further and require SMTP AUTH for every single SMTP session on port 25 as well. That means that AOL's mailservers would have to authenticate their sessions on Hotmail's servers before sending email and vice versa. It means that you cannot operate a mailserver without having a bilateral agreement in place with some set of email peers. It provides a chain of
40 million .coms...
Yes, this probably means that we need to have some DNS related changes so that a domain can publish a list of their email peers and so that MTA software can figure out where to forward a particular email to reach its destination.
Yeeee-Haw! A return to the Old West of bangbaths and pathalias. No thanks.
--On 13 February 2004 09:27 -0500 Valdis.Kletnieks@vt.edu wrote:
Yeeee-Haw! A return to the Old West of bangbaths and pathalias.
No thanks.
That's absolutely the issue with emerging resignation to "e-mail peering" and the like being the only solution to the spam problem. Folks who've been around long enough to remember UUCP maps or ADMD=/PRMD= know how huge the cost and support overhead of unreliability per e-mail sent is relative to SMTP delivery. Before we drop into that particular trap I'd like to think that one more attempt could be made at using PKI to do MTA identification. Maybe I'm a dreamer, but a world in which I only accept mail from MTA's that present a certificate from a CA I trust seems way better than one where I need an offline contract with a necessarily few people, and the world has to work out how to reach me through them. This won't stop spam at all levels, but neither will e-mail peering as it will still be possible to inject SPAM into a provider's network and therefore get it transited through their peering links. It's much easier to kill a black-hat or just careless MTA by locally blacklisting an individual public key, CN=, O=, or even C= if I'm minded to. -- Rob.
On Fri, 13 Feb 2004, Rob Pickering wrote:
--On 13 February 2004 09:27 -0500 Valdis.Kletnieks@vt.edu wrote:
Yeeee-Haw! A return to the Old West of bangbaths and pathalias.
No thanks.
That's absolutely the issue with emerging resignation to "e-mail peering" and the like being the only solution to the spam problem.
The unfortunate fact is lots of people like to operate open, anonymous services and then expect other people to clean up after them. Why don't IRC operators require authentication of their users? ISPs should block 6667 Why don't SMTP operators require authentication of their users? ISPs should block 25 Why don't NETBIOS operators require authentication of their users? ISPs should block 135, 137-139, 445 Why don't P2P operators require authentication of their users? ISPs should block everything
On 2004-02-15T17:33-0500, Sean Donelan wrote: ) The unfortunate fact is lots of people like to operate open, anonymous ) services and then expect other people to clean up after them. ) ) Why don't IRC operators require authentication of their users? ) Why don't SMTP operators require authentication of their users? Why don't HTTP operators require authentication of their users? If I'm researching testicular cancer on the web, that may involve web sites, IRC support channels, or mailing lists. The *truly* unfortunate fact is lots of ISPs like to do things like throw up firewall rules and then expect other people to clean up after the real problems they are simply evading. Consider this: A pathogen is developed that kills anyone with which it comes in contact. People across the world are randomly exposed to the pathogen and begin dying en masse. Short-term public interest would seem to necessitate that hosting public meetings should now be discouraged, if not outright banned. In some areas, ordinances might be passed requiring that any human contact be made only if both parties know each other, and can prove they have adequate air filtration. This isn't the plot to next summer's killer Sci-Fi horror movie; this is what we are dealing with on the Internet today. In either case, the long- term public interest would probably be served more by funding agencies to track down and stop the spread of the pathogen. -- Daniel Reed <n@ml.org> http://naim-users.org/nmlorg/ http://naim.n.ml.org/
On Mon, 16 Feb 2004, Daniel Reed wrote:
On 2004-02-15T17:33-0500, Sean Donelan wrote: ) The unfortunate fact is lots of people like to operate open, anonymous ) services and then expect other people to clean up after them. ) ) Why don't IRC operators require authentication of their users? ) Why don't SMTP operators require authentication of their users?
Why don't HTTP operators require authentication of their users? If I'm researching testicular cancer on the web, that may involve web sites, IRC support channels, or mailing lists.
If you have a read-write HTTP web site (i.e. send e-mail through web, write web blogs, etc), why don't you have authentication before permiting users to write? This includes news web sites which let you "forward" stories by entering arbitrary addresses. mailfrom.cgi and friends is as much of a problem. If you want to tell everyone in the world about your new and improved cure for testicular cancer available for the low low price of $119 by sending continious messages on unauthenticated IRC channels, mailing lists and web blogs why should the ISP pierce the veil of anonymitity the IRC operator, mailing list operator, web blog operator wanted? The operator of the anonymous service should deal with the consequences of maintaining that anonymitity. ISPs authenticated their users. But that doesn't mean it is the ISP's responsibility to track down users of anonymous services everytime there is a problem.
This isn't the plot to next summer's killer Sci-Fi horror movie; this is what we are dealing with on the Internet today. In either case, the long- term public interest would probably be served more by funding agencies to track down and stop the spread of the pathogen.
Restuarant operators are responsible for the safe preparation of the food they serve and the cleanliness of their resturants. It is not up to the highway department to prevent sick people from visiting your restuarant or to monitor the trucks transporting food on the highway. If you want the ISP (highway department) to control it, expect them to set up inspection points on the roads they control and disrupt all traffic. If you don't want ISPs doing this, don't ask them to enforce things they shouldn't be doing.
good while doing that add *!*@proxad.net to the list of spammers that bug people -Henry On Mon, 16 Feb 2004, Daniel Reed wrote:
On 2004-02-15T17:33-0500, Sean Donelan wrote: ) The unfortunate fact is lots of people like to operate open, anonymous ) services and then expect other people to clean up after them. ) ) Why don't IRC operators require authentication of their users? ) Why don't SMTP operators require authentication of their users?
Why don't HTTP operators require authentication of their users? If I'm researching testicular cancer on the web, that may involve web sites, IRC support channels, or mailing lists.
If you have a read-write HTTP web site (i.e. send e-mail through web, write web blogs, etc), why don't you have authentication before permiting users to write? This includes news web sites which let you "forward" stories by entering arbitrary addresses. mailfrom.cgi and friends is as much of a problem. If you want to tell everyone in the world about your new and improved cure for testicular cancer available for the low low price of $119 by sending continious messages on unauthenticated IRC channels, mailing lists and web blogs why should the ISP pierce the veil of anonymitity the IRC operator, mailing list operator, web blog operator wanted? The operator of the anonymous service should deal with the consequences of maintaining that anonymitity. ISPs authenticated their users. But that doesn't mean it is the ISP's responsibility to track down users of anonymous services everytime there is a problem.
This isn't the plot to next summer's killer Sci-Fi horror movie; this is what we are dealing with on the Internet today. In either case, the long- term public interest would probably be served more by funding agencies to track down and stop the spread of the pathogen.
Restuarant operators are responsible for the safe preparation of the food they serve and the cleanliness of their resturants. It is not up to the highway department to prevent sick people from visiting your restuarant or to monitor the trucks transporting food on the highway. If you want the ISP (highway department) to control it, expect them to set up inspection points on the roads they control and disrupt all traffic. If you don't want ISPs doing this, don't ask them to enforce things they shouldn't be doing.
On 2004-02-16T12:58-0500, Sean Donelan wrote: ) On Mon, 16 Feb 2004, Daniel Reed wrote: ) > On 2004-02-15T17:33-0500, Sean Donelan wrote: ) > ) Why don't IRC operators require authentication of their users? ) > ) Why don't SMTP operators require authentication of their users? ) The operator of the anonymous service should deal with the consequences ) of maintaining that anonymitity. ISPs authenticated their users. But And in large part, we do. I am an IRC Operator on a large IRC network, called EFnet, and I do report abuse whenever it occurs in my presence. Unfortunately, I have never received an affirmative response from an ISP after reporting such abuse; never received a request for additional information; and certainly never seen the problem host cease to be a problem after reporting. I am perhaps one of the few operators still interested in abuse reporting; many have simply resigned themselves to finding abusers using constantly- evolving techniques and simply banning them from the network when they are found. This helps us in the short term, but is only an arms race in the long term. It is a commonly held belief that any type of subscription service will be repeatedly evaded through technical innovation; the fix must come from the providers. The problem appears to be that many network operators do not think of themselves as anything beyond commercial network providers. Many appear loath to take any effort above and beyond ensuring their users' bills are paid regularly, or their budgets are kept low, etc. Many will have RFC 2142 contacts, but appear to discard incoming mail. Some, such as Charter Communications, do not even have these mandatory addresses (mail is not accepted for <abuse@charter.com>). ) Restuarant operators are responsible for the safe preparation of the food ) they serve and the cleanliness of their resturants. It is not up to the ) highway department to prevent sick people from visiting your restuarant ) or to monitor the trucks transporting food on the highway. And on the other hand, it is the CDC that would perform an outbreak isolation, not the restaurant staff. The CDC would also trace who the infected person had contact with and take steps to verify their health, etc. The restaurant could not possibly hope to have the resources or training to effectively deal with people walking in off the street carrying a deadly pathogen, and still have enough resources to provide a decent service. -- Daniel Reed <n@ml.org> http://naim-users.org/nmlorg/ http://naim.n.ml.org/ The pursuit of pretty formulas and neat theorems can no doubt quickly degenerate into a silly vice, but so can the quest for austere generalities which are so very general indeed that they are incapable of application to any particular. -- Eric Temple Bell, Mathematician
On Mon, 16 Feb 2004, Daniel Reed wrote:
paid regularly, or their budgets are kept low, etc. Many will have RFC 2142 contacts, but appear to discard incoming mail. Some, such as Charter Communications, do not even have these mandatory addresses (mail is not accepted for <abuse@charter.com>).
while they do not conform to the RFC, they receive accept mail at/for abuse@chartercom.com [This would be the domain w/o outsourced MX...]
And on the other hand, it is the CDC that would perform an outbreak isolation, not the restaurant staff.
You're talking about a concerted effort. So far, I haven't seen the levels of cooperation between providers that is required. I'm all for everyone holding hands and squashing out issues. But until you get past the isolationist mindset (you must be sick of me saying that by now) good luck... I think we're both in agreement that until * starts saying "If I don't stop this today, it will hurt me tomorrow", that the cooperation required to address and stop these issues will be nil. -mark
On 2004-02-17T11:56-0600, Mark Turpin wrote: ) On Mon, 16 Feb 2004, Daniel Reed wrote: ) > And on the other hand, it is the CDC that would perform an outbreak ) > isolation, not the restaurant staff. ) I think we're both in agreement that until * starts saying "If I ) don't stop this today, it will hurt me tomorrow", that the ) cooperation required to address and stop these issues will be nil. I am not sure it will take any major coordinated effort. For many outbreak incidents, the CDC would respond in the U.S., other agencies would respond elsewhere. Coincidentally enough, CNN.com just posted an article "Your PC could be a 'spam zombie'" <http://www.cnn.com/2004/TECH/ptech/02/17/spam.zombies.ap/>. The provider mentioned appears to be turning off customers [unwittingly] involved in abuse without any major coordinated effort behind them. (And I am sure there other examples of providers taking such action.) -- Daniel Reed <n@ml.org> http://naim-users.org/nmlorg/ http://naim.n.ml.org/ "Murphy's Law is recursive. Washing your car to make it rain doesn't work."
On Tue, 17 Feb 2004, Daniel Reed wrote:
I am not sure it will take any major coordinated effort. For many outbreak incidents, the CDC would respond in the U.S., other agencies would respond elsewhere.
To perform a traceback in the US the CDC works with hospitals, doctors, etc. since they have the authority to do so. Which body has that authority within the US (and knows how to use it). Law enforcement comes to mind, but that doesn't scale. Nor is this the right place to discuss that issue ;)
Coincidentally enough, CNN.com just posted an article "Your PC could be a 'spam zombie'" <http://www.cnn.com/2004/TECH/ptech/02/17/spam.zombies.ap/>. The provider mentioned appears to be turning off customers [unwittingly] involved in abuse without any major coordinated effort behind them. (And I am sure there other examples of providers taking such action.)
Everyone knows about/of spam. Does everyone know about DoS? I'm just throwing it out there as an example, I don't really want to get in to who should know what, etc... These problems [as all issues] are a topic that only those passionate few [those typically affected by it] truly seek resolution. I believe it is human (or maybe just American?) nature to not care until something affects you. alas, i'm lacking operational content, so this is my final bit of input on the matter. -mark
Well they accept mail at abuse@charter.com but they certainly don't do anything about it. I have sent numerous complaints to that address with absolutely nothing happening to fix the problem. The address is a black hole. Roy -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Mark Turpin Sent: Tuesday, February 17, 2004 9:56 AM To: nanog@merit.edu Subject: Re: Open, anonymous services and dealing with abuse On Mon, 16 Feb 2004, Daniel Reed wrote:
paid regularly, or their budgets are kept low, etc. Many will have RFC 2142 contacts, but appear to discard incoming mail. Some, such as Charter Communications, do not even have these mandatory addresses (mail is not accepted for <abuse@charter.com>).
while they do not conform to the RFC, they receive accept mail at/for abuse@chartercom.com [This would be the domain w/o outsourced MX...]
And on the other hand, it is the CDC that would perform an outbreak isolation, not the restaurant staff.
You're talking about a concerted effort. So far, I haven't seen the levels of cooperation between providers that is required. I'm all for everyone holding hands and squashing out issues. But until you get past the isolationist mindset (you must be sick of me saying that by now) good luck... I think we're both in agreement that until * starts saying "If I don't stop this today, it will hurt me tomorrow", that the cooperation required to address and stop these issues will be nil. -mark
Well at least they are somewhat DNS responsible in that they seperate their user IP space well. SO that it can be blocked. the really annoying ISPS's use stupid things like DSL1234.isp.com And such. Of course doing this does block those 1 in 100 people runing a server on their DSL line and not requesting a reverse DNS change. la.charter.com 550 NO Mail Accepted From DSL va.charter.com 550 NO Mail Accepted From DSL mn.charter.com 550 NO Mail Accepted From DSL ga.charter.com 550 NO Mail Accepted From DSL ct.charter.com 550 NO Mail Accepted From DSL ma.charter.com 550 NO Mail Accepted From DSL ca.charter.com 550 NO Mail Accepted From DSL wi.charter.com 550 NO Mail Accepted From DSL al.charter.com 550 NO Mail Accepted From DSL sc.charter.com 550 NO Mail Accepted From DSL tx.charter.com 550 NO Mail Accepted From DSL nc.charter.com 550 NO Mail Accepted From DSL Nicole On 17-Feb-04 Unnamed Administration sources reported Roy said :
Well they accept mail at abuse@charter.com but they certainly don't do anything about it. I have sent numerous complaints to that address with absolutely nothing happening to fix the problem. The address is a black hole.
Roy
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Mark Turpin Sent: Tuesday, February 17, 2004 9:56 AM To: nanog@merit.edu Subject: Re: Open, anonymous services and dealing with abuse
On Mon, 16 Feb 2004, Daniel Reed wrote:
paid regularly, or their budgets are kept low, etc. Many will have RFC 2142 contacts, but appear to discard incoming mail. Some, such as Charter Communications, do not even have these mandatory addresses (mail is not accepted for <abuse@charter.com>).
while they do not conform to the RFC, they receive accept mail at/for abuse@chartercom.com
[This would be the domain w/o outsourced MX...]
And on the other hand, it is the CDC that would perform an outbreak isolation, not the restaurant staff.
You're talking about a concerted effort. So far, I haven't seen the levels of cooperation between providers that is required. I'm all for everyone holding hands and squashing out issues. But until you get past the isolationist mindset (you must be sick of me saying that by now) good luck...
I think we're both in agreement that until * starts saying "If I don't stop this today, it will hurt me tomorrow", that the cooperation required to address and stop these issues will be nil.
-mark
-- |\ __ /| (`\ | o_o |__ ) ) // \\ - nmh@daemontech.com - Powered by FreeBSD - ------------------------------------------------------ " Daemons" will now be known as "spiritual guides" -Politically Correct UNIX Page Great places... http://www.nonsenseband.com - My Band http://www.picturetrail.com - Sysadmin http://www.mediatechnique.com - Sysadmin2
1700+ attempts from one IP address to send mail today via one of my servers. -----Original Message----- From: nicole@xwin.nmhtech.com [mailto:nicole@xwin.nmhtech.com]On Behalf Of Nicole Sent: Tuesday, February 17, 2004 12:25 PM To: nanog@merit.edu Cc: Mark Turpin; Roy Subject: RE: Open, anonymous services and dealing with abuse Well at least they are somewhat DNS responsible in that they seperate their user IP space well. SO that it can be blocked. the really annoying ISPS's use stupid things like DSL1234.isp.com And such. Of course doing this does block those 1 in 100 people runing a server on their DSL line and not requesting a reverse DNS change. la.charter.com 550 NO Mail Accepted From DSL va.charter.com 550 NO Mail Accepted From DSL mn.charter.com 550 NO Mail Accepted From DSL ga.charter.com 550 NO Mail Accepted From DSL ct.charter.com 550 NO Mail Accepted From DSL ma.charter.com 550 NO Mail Accepted From DSL ca.charter.com 550 NO Mail Accepted From DSL wi.charter.com 550 NO Mail Accepted From DSL al.charter.com 550 NO Mail Accepted From DSL sc.charter.com 550 NO Mail Accepted From DSL tx.charter.com 550 NO Mail Accepted From DSL nc.charter.com 550 NO Mail Accepted From DSL Nicole On 17-Feb-04 Unnamed Administration sources reported Roy said :
Well they accept mail at abuse@charter.com but they certainly don't do anything about it. I have sent numerous complaints to that address with absolutely nothing happening to fix the problem. The address is a black hole.
Roy
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Mark Turpin Sent: Tuesday, February 17, 2004 9:56 AM To: nanog@merit.edu Subject: Re: Open, anonymous services and dealing with abuse
On Mon, 16 Feb 2004, Daniel Reed wrote:
paid regularly, or their budgets are kept low, etc. Many will have RFC 2142 contacts, but appear to discard incoming mail. Some, such as Charter Communications, do not even have these mandatory addresses (mail is not accepted for <abuse@charter.com>).
while they do not conform to the RFC, they receive accept mail at/for abuse@chartercom.com
[This would be the domain w/o outsourced MX...]
And on the other hand, it is the CDC that would perform an outbreak isolation, not the restaurant staff.
You're talking about a concerted effort. So far, I haven't seen the levels of cooperation between providers that is required. I'm all for everyone holding hands and squashing out issues. But until you get past the isolationist mindset (you must be sick of me saying that by now) good luck...
I think we're both in agreement that until * starts saying "If I don't stop this today, it will hurt me tomorrow", that the cooperation required to address and stop these issues will be nil.
-mark
-- |\ __ /| (`\ | o_o |__ ) ) // \\ - nmh@daemontech.com - Powered by FreeBSD - ------------------------------------------------------ " Daemons" will now be known as "spiritual guides" -Politically Correct UNIX Page Great places... http://www.nonsenseband.com - My Band http://www.picturetrail.com - Sysadmin http://www.mediatechnique.com - Sysadmin2
Recently, Daniel Reed <n@ml.org> wrote: The *truly* unfortunate fact is lots of ISPs like to do things like throw up firewall rules and then expect other people to clean up after the real problems they are simply evading.
Consider this: A pathogen is developed that kills anyone with which it comes in contact. People across the world are randomly exposed to the pathogen and begin dying en masse.
Short-term public interest would seem to necessitate that hosting public meetings should now be discouraged, if not outright banned. In some areas, ordinances might be passed requiring that any human contact be made only if both parties know each other, and can prove they have adequate air filtration.
This isn't the plot to next summer's killer Sci-Fi horror movie; this is what we are dealing with on the Internet today. In either case, the long- term public interest would probably be served more by funding agencies to track down and stop the spread of the pathogen.
The problem is, your analogy is too extreme; if people really *were* dying, there'd be more attention paid to it. Unfortunately, if we look at a more real-world case, like herpes, you realize that we don't take contagion very seriously unless people are dying from it. Instead, we end up with ora-gel, anbasol, and other such fun products to take the sting away without actually doing anything. Likewise in the network, we have a similar approach; when the cold sores flare up again, apply a topical solution to take some of the sting away, and then continue life like normal...including spreading that numb-but-still-infectious cold sore to others. Trojaned PCs and zombie proxies relaying spam are like cold sores; they don't kill anyone, they just make things mildly uncomfortable, so we numb them over, and go about our business like normal, even if that includes allowing the infection to spread even further. If proxies *did* kill, then yes, we'd take them seriously; but anything short of that, and real life tells us we won't take them seriously enough to try to do real research into ultimately stamping them out.
-- Daniel Reed <n@ml.org> http://naim-users.org/nmlorg/ http://naim.n.ml.org/
Matt, feeling pessimistic this morning
On Tue, 17 Feb 2004 matt@petach.org wrote:
Trojaned PCs and zombie proxies relaying spam are like cold sores; they don't kill anyone, they just make things mildly uncomfortable, so we numb them over, and go about our business like normal, even if that includes allowing the infection to spread even further.
If proxies *did* kill, then yes, we'd take them seriously; but anything short of that, and real life tells us we won't take them seriously enough to try to do real research into ultimately stamping them out.
But proxies do "kill" - the trojaned "owned" PCs are and have been for years used to create distributed DoS attacks which can easily kill a site or even smaller network. There is enourmous potential harm to from them and that is in addition to normal everyday less articulated harm because of spam and more that mail servers and other infrastracture is being used for it. ISPs end up paying for all this. Everybody thinks if its not us, we don't have problem so we dont want to spend anything to fix it - bu its not true, you already are paying for it due to increased cost of operation. The cost of fixing your own network even 50% of other ISPs did it, would in the end be smaller. -- William Leibzon Elan Networks william@elan.net
I hate to see government get involved in anything, but perhaps some law holding PC owners responsible for SPAM that comes from their unpatched machines AS LONG AS there is ample notification to that user that their machine is compromised. Also, ISP's should be held responsible for allowing unpatched machines to be connected to them and for e-mail to be propagated from their. Sounds like an unfunded "mandate", and it probably is, but there is the concept of "attractive nusaince" in the law now. Again, any law would need to be designed to allow for AMPLE notification to the owner of the offending machine/ISP to allow time for them to fix it. Only then would there be a requirement that their ISP disconnect them or face fines. ----- Original Message ----- From: "william(at)elan.net" <william@elan.net> To: <matt@petach.org> Cc: <nanog@merit.edu> Sent: Tuesday, February 17, 2004 15:27 Subject: Re: Open, anonymous services and dealing with abuse
On Tue, 17 Feb 2004 matt@petach.org wrote:
Trojaned PCs and zombie proxies relaying spam are like cold sores; they don't kill anyone, they just make things mildly uncomfortable, so we numb them over, and go about our business like normal, even if that includes allowing the infection to spread even further.
If proxies *did* kill, then yes, we'd take them seriously; but anything short of that, and real life tells us we won't take them seriously enough to try to do real research into ultimately stamping them out.
But proxies do "kill" - the trojaned "owned" PCs are and have been for years used to create distributed DoS attacks which can easily kill a site or even smaller network. There is enourmous potential harm to from them and that is in addition to normal everyday less articulated harm because of spam and more that mail servers and other infrastracture is being used for it. ISPs end up paying for all this.
Everybody thinks if its not us, we don't have problem so we dont want to spend anything to fix it - bu its not true, you already are paying for it due to increased cost of operation. The cost of fixing your own network even 50% of other ISPs did it, would in the end be smaller.
-- William Leibzon Elan Networks william@elan.net
At 12:43 PM 2/17/2004, John Palmer wrote:
I hate to see government get involved in anything, but perhaps some law holding PC owners responsible for SPAM that comes from their unpatched machines AS LONG AS there is ample notification to that user that their machine is compromised.
We don't need more new laws. There is already a law - in most parts of the world you can be charged with "contributory negligence" for failing to secure an "attractive nuisance" and then a third party is injured or damaged due to your negligence. In any part of the world that doesn't have such a law, a "new law" in another part of the world wouldn't matter anyway. What is needed is for someone to CARE enough to bother to investigate and prosecute. And yes, it's going to cost "more than it's worth" to prosecute, at least the first few times. Someone has to decide that the long-term good is worth the price of being the leader in this charge. IMHO, you should sue both the owner of the PC (for negligently failing to properly secure their computer, or to fix it when notified), and sue Microsoft (for neglegently producing and selling software that was so easily compromised) as they are both responsible for the hardware/software that was used to damage your servers/network etc. Microsoft's EULA doesn't apply to you as a third party who is damaged by their faulty software. You should also consider an offer to settle with the PC owner if they agree to jointly sue Microsoft on your behalf. You are not held to the EULA, but they are, but since Microsoft's software is *negligent* it's possible that the EULA doesn't penetrate their inherent liability to not produce a product that causes harm. (A EULA won't protect a ladder maker from negligently building and selling a ladder on which people get hurt when they use it for its intended purpose.) But we won't know until someone digs down into their pockets and funds a lawsuit to try it out. Sorry about the lack of operational content in this post, but sometimes you have to consider the costs and benefits of both operational solutions and other solutions (e.g. legal solution) in order to determine which solution is the best one for your network, both in the short term and in the long term. jc -- p.s. Please do not cc me on replies to the list. Please reply to the list only, or to me only (as you prefer) but not to both.
--On 13 February 2004 09:27 -0500 Valdis.Kletnieks@vt.edu wrote:
Yeeee-Haw! A return to the Old West of bangbaths and pathalias.
*Not* that I think bilateral peering for SMTP is a great idea, but: a web of trust (A trusts B, B trusts C) does not necessarily mean the mail has to traverse the route of the web of trust (i.e. if A can establish B trusts C, then why not accept the mail directly from C if all B is going to do is forward it in essence unaltered). Perhaps this is no different from having someone DNS sign some form of inverse MX record saying "this is my customer and they shalt not spam you or lo the wrath of my abuse department shall descend on them and cut them off", and people not accept mail from those without that an inverse MX record signed by someone they trust, someone who someone they trust trusts (etc.). Alex
On Fri, Feb 13, 2004 at 11:05:16AM +0000, Michael.Dillon@radianz.com wrote:
To attack spam, we need to attack it at its core, not at some secondary or tertiary side-effect, with a mechanism that also hurt legitimate users.
We, as network operators don't need to attack spam. We need to ignore spam itself and get to work securing the network that enables spammers to do their dirty work.
Much talk about using SMTP AUTH, but nothing about using STARTTLS? Alone, SMTP AUTH is somewhat better, but requires that the passwords be stored plain-text on the server (CRAM-MD5 or DIGEST-MD5), or that the password traverse the wire in plain-text (PLAIN or LOGIN). So by requiring STARTTLS for SMTP AUTH the transmission can be encrypted and the passwords on the server encrypted as well. Furthermore, if mail server admins step up and enable STARTTLS on their systems it opens up the possibilities of using certificate verification and PKI. -- Some days it's just not worth chewing through the restraints... Mark Foster <mark@foster.cc> http://mark.foster.cc/
participants (15)
-
Alex Bligh -
Daniel Reed -
Henry Linneweh -
JC Dill -
John Palmer -
Mark Foster -
Mark Turpin -
matt@petach.org -
Michael.Dillon@radianz.com -
Nicole -
Rob Pickering -
Roy -
Sean Donelan -
Valdis.Kletnieks@vt.edu -
william(at)elan.net