Re: Problems sending mail to yahoo?
Joe Greco wrote:
So it's a vast sea of security by obscurity and standards be damned. It's a real and serious failure of the IETF et al. ... Having nearly given up in disgust on trying to devise workable anti-spam solutions that would reliably deliver requested/desired mail to my own mailbox, I came to the realization that the real problem with the e-mail system is so fundamental that there's no trivial way to "save" it.
Sounds like the party line inside Yahoo, but there are plenty of ISPs that do a really good job of combating spam. They do it with standard tools like RBLs, Spamassassin, OCR, ClamAV and without ineffective diversions like SPF or DKIM. Add a few local customizations (I know, this is the time consuming part), IP-layer IDS, stir carefully and voila, spam to real mail ratios well below 1 to 100. All without big junk folders, with very rare false positives, and little or no effort on the part of end-users. The problem is that it is an art, not well documented (without reading 5 or 6 sendmail/postfix and anti-spam mailing lists for a several years), is not taught in school (unlike systems and network administration), and rarely gets measured with decent metrics. Not that spam really has much to do with network operations, well, except perhaps for those pesky Netcool/Openview/Nagios alerts... Roger Marquis
On Sun, Apr 13, 2008 at 11:15 AM, Roger Marquis <marquis@roble.com> wrote:
Sounds like the party line inside Yahoo, but there are plenty of ISPs that do a really good job of combating spam. They do it with standard tools like RBLs, Spamassassin, OCR, ClamAV and without ineffective diversions like SPF or DKIM.
Unless you have actually implemented filters on production mail platforms with several million users.. please.
Not that spam really has much to do with network operations, well, except perhaps for those pesky Netcool/Openview/Nagios alerts...
You havent been sitting in on most of the security related talks and bofs at *nog, right? If you have, that'd be a surprisingly naïve statement. srs -- Suresh Ramasubramanian (ops.lists@gmail.com)
Roger Marquis wrote:
Sounds like the party line inside Yahoo, but there are plenty of ISPs that do a really good job of combating spam. They do it with standard tools like RBLs, Spamassassin, OCR, ClamAV and without ineffective diversions like SPF or DKIM.
Seen from inside, it is not spamfilters but it is the routing table. I have seen spam dropping by 98% when zerorouting some networks. Nobody complained about false positives :) But this is another story for the big ones. They might have customers.
The problem is that it is an art, not well documented (without reading 5 or 6 sendmail/postfix and anti-spam mailing lists for a several years), is not taught in school (unlike systems and network administration), and rarely gets measured with decent metrics.
That is true. Plus the rules are constantly changeing.
Not that spam really has much to do with network operations, well, except perhaps for those pesky Netcool/Openview/Nagios alerts...
At the edge it does. It can bring your VoIP down and video on demand. I know from campus networks who improved p2p service when zerorouting networks known for sending spam. Peter -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ http://www.cesidianroot.com/
I realize it's natural and predictable, when spam is mentioned, to repeat the folklore...then the robots came and we were all driven underground to survive... However my point was something more in the realm of standards and operations and what we can do rather than going back over what we can't seem to do. For example, and it's only an example don't quibble the example, defining a list of return SMTP codes which are actually specific and meaningful like (let's assume they should be 5xx, maybe 7xx would be a better start? Policy failure codes) 540 Sending site in internal blacklist contact: URL or MAILBOX 541 Sending site is in external blacklist: URL 542 FROM address blocked: MAILBOX 543 RCPT address blocked: MAILBOX 544 BODY contained blacklisted URL or MAILBOX: URL or MAILBOX 545 BODY contained blacklisted string not a URL or MAILBOX 546 SUBJECT contained blacklisted URL or MAILBOX: URL or MAILBOX 547 SUBJECT contained blacklisted string not a URL or MAILBOX 548 SPF Failure (note: could be subsetted further or detail code added) 549 DKIM Failure (note: could be subsetted further or detail code added) and so on, a taxonomy which could then at least be dealt with intelligently by sending MTAs and supporting software rather than each side cooking up their own stuff. That's the first problem with this yahoo flap, right? You have to go to the backed up mail queues and stare at them and try to pattern match that a lot of these are from yahoo, and oh look they're deferred?, wait, inside the queue files you can find this "421 Deferred due to user complaints see URL" which then leads you to a form to fill out and you're still not sure what exactly you're pursuing other than hoping you can make it go away either by your action or theirs. Gak, there isn't even a standard code which means MAILBOX FULL or ACCOUNT NOT RECEIVING MAIL other than MAILBOX FULL, maybe by choice, maybe non-payment, as specific as a site is comfortable with. That's what I mean by standards and at least trying to focus on what can be done rather than the endless retelling of what can't be done. More specific and standardized SMTP failure codes are just one example but I think they illustrate the point I'm trying to make. Oh yeah here's another (ok maybe somewhere this is written down), how about agreeing on contact mailboxes like we did with postmaster@domain? Is it abuse@domain or spam@domain or support@domain or postmaster@domain (very commonly used) or ???@domain. Who cares? But let's pick ONE, stuff it in an RFC or BCP and try to get each other to conform to it. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
At 02:18 PM 4/13/2008, Barry Shein wrote:
Is it abuse@domain or spam@domain or support@domain or postmaster@domain (very commonly used) or ???@domain. Who cares? But let's pick ONE, stuff it in an RFC or BCP and try to get each other to conform to it.
abuse@domain is *already* specified (in RFC 2142). Granted, separating reports of email abuse from those for other forms of abuse might be useful for large providers, but since we can't even get many domains even to set up the already-specified abuse@ address, much less read the mail we send to it, I'm not convinced that it would help. OTOH, many email providers seem to think it's my job to know what their internal organization is and re-route email to some spam-specific email reporting address. While that is just rude and ignorant behavior in my book, at least having a single standardized address would be an improvement...
On April 13, 2008 at 15:17 szlists@szarka.org (Rob Szarka) wrote:
At 02:18 PM 4/13/2008, Barry Shein wrote:
Is it abuse@domain or spam@domain or support@domain or postmaster@domain (very commonly used) or ???@domain. Who cares? But let's pick ONE, stuff it in an RFC or BCP and try to get each other to conform to it.
abuse@domain is *already* specified (in RFC 2142).
Thank you. Perhaps that's why I prefaced that paragraph with: Oh yeah here's another (ok maybe somewhere this is written down), how ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ about agreeing on contact mailboxes like we did with postmaster@domain? but you for some reason elided it. Well, difficult to resist quibbling an example I suppose. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
of abuse might be useful for large providers, but since we can't even get many domains even to set up the already-specified abuse@ address, much less read the mail we send to it,
When someone like AOL offloads their user complaints of spams to all the abuse@ addresses instead of verifying that they actually are spams before sending off complaints, is it any surprise that everyone else is refusing to do their jobs for them? The reason abuse@ addresses are useless is because what is being sent to them is useless. George Roettger Netlink Services
At 04:41 PM 4/13/2008, Geo. wrote:
of abuse might be useful for large providers, but since we can't even get many domains even to set up the already-specified abuse@ address, much less read the mail we send to it,
When someone like AOL offloads their user complaints of spams to all the abuse@ addresses instead of verifying that they actually are spams before sending off complaints, is it any surprise that everyone else is refusing to do their jobs for them?
I'm not sure I know what you mean. Are you talking about the optional feedback loop? When I was signed up for that I did get a bunch of bogus reports, but other than that I've never received a spam report from AOL at all.
The reason abuse@ addresses are useless is because what is being sent to them is useless.
I'm sure that a lot of useless reports come in--my servers never originate spam, but we still get the occasional bogus report due to forged headers. At the same time, I certainly send dozens of real spam reports every day and they all contain actionable information (that would be supplemented further if an actual human were to ask). What I've found is that "too big to fail" ISPs respond (if they accept the email at all!) with either an automated response or a canned response from a help desk monkey who is actually wrong close to half the time, while many boutique providers and most US-based .edu sites respond personally and cluefully. (Don't get me started about the US government, especially the military...) My conclusion is that the problem is not crappy reports but rather under-investment in clue at big ISP help desks. All the fancy standards and tools in the world are not going to help this basic problem: stemming the tide of abuse from their networks is simply not a high enough priority for companies like Yahoo, Hotmail, AT&T, et al. Until they start losing money every time spam leaves their network, I don't see their behavior changing.
On Sun, 13 Apr 2008, Geo. wrote:
of abuse might be useful for large providers, but since we can't even get many domains even to set up the already-specified abuse@ address, much less read the mail we send to it,
When someone like AOL offloads their user complaints of spams to all the abuse@ addresses instead of verifying that they actually are spams before sending off complaints, is it any surprise that everyone else is refusing to do their jobs for them?
The reason abuse@ addresses are useless is because what is being sent to them is useless.
As one that works for a company that makes full use of complaints sent to it, abuse@ addresses are not useless, far from it. Please don't get the idea that because some think they're useless, it therefore is universal. We also get 100s of AOL feedbacks a day, which are filtered separately. Also not useless. And we've also reported incidents to other companies' abuse functions, and had them be resolved same-day because of it. Also, far from useless. How about if you're not actively in an abuse function, you hold off on declaring the function useless, cause the meme could catch on that it is, even if it's not, and I've yet to see an automated filtering/blocking system fully replace or completely obsolete a good trained network operator who understands what is and is not abuse on the network. -Dave D
I agree that they aren't completely useless. From our environment the abuse desks can be somewhat overwhelmed though. If you setup feedback loops for networks size of 1x /16 2x /17 2x /18 1x /19 to receive abuse complaints on dedicated / collocated customers you do get a some good complaints. Some of the time it is from compromised scripts, sometimes actual spammers, but most of the time it is from forwarded spam. This makes the abuse desk full of thousands and thousands of complaints. You can look in the headers of the spam complaints and see that it is forwarded spam, but it is still overhead. So signing up for a feedback loop for the entire network with something like Yahoo! can be burdensome and make abuse@ full of useless complaints. This isn't the problem I suppose in most environments, but it is in mine. Yahoo! blocking entire /24's are not necessarily a large problem, the larger problem is A. they don't tell you when it is blocked (I don't believe it would be hard to email the abuse@ contact of the IP address range..) B. their 'Bulk Mail Advocates' say they cannot tell what IP's are generating the /24 block once it is in place (perhaps it can be prior to the block?). C. They offer no way to exempt certain IP addresses to be exempted from the /24 'de-prioritization'. This means the smaller companies who send maybe 3 or 4 emails to Yahoo a day are having difficulty and there's nothing you can do until the issue with the entire /24 is solved. Administrators who actually find ways to get in touch with Yahoo to resolve issues are hindered by Yahoo's stance of 'It's coming from your network, you should be able to monitor it and figure it out'. In a dedicated/colo environment I don't think it is really reasonable to expect companies login to each server in a /24 to see who is sending mail to Yahoo. And even if they are sending mail to Yahoo were not psychic so we cannot tell what their users are marking as spam and what's not. I suppose the feedback loop would say that but...then abuse@ is flooded with complaints that are mostly mutual customers fault. Chances are if a server is sending spam to Yahoo they are sending it to quite a few other places as well which do actively report it. -Ray -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Dave Dennis Sent: Sunday, April 13, 2008 7:16 PM To: Geo. Cc: nanog@merit.edu Subject: Re: Problems sending mail to yahoo? On Sun, 13 Apr 2008, Geo. wrote:
of abuse might be useful for large providers, but since we can't even get many domains even to set up the already-specified abuse@ address, much less read the mail we send to it,
When someone like AOL offloads their user complaints of spams to all the abuse@ addresses instead of verifying that they actually are spams before sending off complaints, is it any surprise that everyone else is refusing to do their jobs for them?
The reason abuse@ addresses are useless is because what is being sent to them is useless.
As one that works for a company that makes full use of complaints sent to it, abuse@ addresses are not useless, far from it. Please don't get the idea that because some think they're useless, it therefore is universal. We also get 100s of AOL feedbacks a day, which are filtered separately. Also not useless. And we've also reported incidents to other companies' abuse functions, and had them be resolved same-day because of it. Also, far from useless. How about if you're not actively in an abuse function, you hold off on declaring the function useless, cause the meme could catch on that it is, even if it's not, and I've yet to see an automated filtering/blocking system fully replace or completely obsolete a good trained network operator who understands what is and is not abuse on the network. -Dave D
1. They are not complaints as such. They are what AOL users click report spam on 2. They are sent in a standard format - http://www.mipassoc.org/arf/ - and if you weed out the obvious (separate forwarding traffic out through another IP, and ditto for bounce traffic), then you will find that - for actual ISPs - actual spam reports will far outweigh the amount of misclicked reports. 3. As I said, its in ARF and that's machine parseable and you can get stats from it. On Mon, Apr 14, 2008 at 2:11 AM, Geo. <geoincidents@nls.net> wrote:
When someone like AOL offloads their user complaints of spams to all the abuse@ addresses instead of verifying that they actually are spams before sending off complaints, is it any surprise that everyone else is refusing to do their jobs for them?
The reason abuse@ addresses are useless is because what is being sent to them is useless.
Gak, there isn't even a standard code which means MAILBOX FULL or ACCOUNT NOT RECEIVING MAIL other than MAILBOX FULL, maybe by choice, maybe non-payment, as specific as a site is comfortable with.
That's what I mean by standards and at least trying to focus on what can be done rather than the endless retelling of what can't be done.
I would have thought it was obvious, but to see this sort of enlightened ignorance(*) suggests that it isn't: The current methods of spam filtering require a certain level of opaqueness. Having just watched the gory hashing through of how $MEGAISP deals with filtering on another list, I was amazed that the prevailing stance among mailbox hosters is that they don't really care about principles, and that they mostly care about whether or not users complain. For example, I feel very strongly that if a user signs up for a list, and then doesn't like it, it isn't the sender's fault, and the mail isn't spam. Now, if the user revokes permission to mail, and the sender keeps sending, that's covered as spam under most reasonable definitions, but that's not what we're talking about here. To expect senders to have psychic knowledge of what any individual recipient is or is not going to like is insane. Yet that's what current expectations appear to boil down to. So, on one hand, we have the "filtering by heuristics," which require a level of opaqueness, because if you respond "567 BODY contained www.sex.com, mail blocked" to their mail, you have given the spammer feedback to get around the spam. And on the other hand, we have the "filtering by statistics," which requires a large userbase and probably a "This Is Spam" button, where you use a complaint driven model to reject mail, but this is severely complicated because users have also been trained to report as spam any other mail that they don't want, which definitely includes even things that they've opted in to. So you have two opaque components to filtering. And senders are deliberately left guessing - is the problem REALLY that a mailbox is full, or am I getting greylisted in some odd manner? Filtering stinks. It is resource-intensive, time-consuming, error-prone, and pretty much an example of something that is desperately flagging "the current e-mail system is failing." You want to define standards? Let's define some standard for establishing permission to mail. If we could solve the permission problem, then the filtering wouldn't be such a problem, because there wouldn't need to be as much (or maybe even any). As a user, I want a way to unambiguously allow a specific sender to send me things, "spam" filtering be damned. I also want a way to retract that permission, and have the mail flow from that sender (or any of their "affiliates") to stop. Right now I've got a solution that allows me to do that, but it requires a significant paradigm change, away from single-e-mail-address. Addressing "standards" of the sort you suggest is relatively meaningless in the bigger picture, I think. Nice, but not that important. (*) It's enlightened to hope for standards that would allow remote sites to have some vague concept of what the problem is. I respect that. It just seems to be at odds with current reality.
More specific and standardized SMTP failure codes are just one example but I think they illustrate the point I'm trying to make.
Oh yeah here's another (ok maybe somewhere this is written down), how about agreeing on contact mailboxes like we did with postmaster@domain?
Yeah, like that's actually implemented or useful at a majority of domains.
Is it abuse@domain or spam@domain or support@domain or postmaster@domain (very commonly used) or ???@domain. Who cares? But let's pick ONE, stuff it in an RFC or BCP and try to get each other to conform to it.
Having defined methods for contacting people OOB would be nice. IFF (and often/mostly they don't) anyone cared to actually try to resolve individual problems. Don't expect them to want to, because for the most part, they do not. Sigh. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On April 13, 2008 at 14:24 jgreco@ns.sol.net (Joe Greco) wrote:
I would have thought it was obvious, but to see this sort of enlightened ignorance(*) suggests that it isn't: The current methods of spam filtering require a certain level of opaqueness.
Indeed, that must be the problem. But then you proceed to suggest:
So, on one hand, we have the "filtering by heuristics," which require a level of opaqueness, because if you respond "567 BODY contained www.sex.com, mail blocked" to their mail, you have given the spammer feedback to get around the spam.
Giving the spammer feedback? In the first place, I think s/he/it knows what domain they're using if they're following bounces at all. Perhaps they have to guess among whether it was the sender, body string, sending MTA, but really that's about it and given one of those four often being randomly generated (sender) and another (sender MTA) deducible by seeing if multiple sources were blocked on the same email...my arithmetic says you're down to about two plus or minus. But even that is naive since spammers of the sort anyone should bother worrying about use massive bot armies numbering O(million) and generally, and of necessity, use fire and forget sending techniques. Perhaps you have no conception of the amount of spam the major offenders send out. It's on the order of 100B/day, at least. That's why you and your aunt bessie and all the people on this list get the same exact spam. Because they're being sent out in the hundreds of billions. Per day. Now, what exactly do you base your interesting theory that spammers analyze return codes to improve their techniques for sending through your own specific (not general) mail blocks? Sure they do some bayesian scrambling and so forth but that's general and will work on zillions of sites running spamassassin or similar so that's worthwhile to them. But what, exactly, do you base your interesting theory that if a site returned "567 BODY contained www.sex.com" that spammers in general and such that it's worthy of concern would use this information to tune their efforts? This is not an existence proof, one example is not sufficient, it has to be evidence worthy of concern given O(100 billion) spams per day overwhelmingly sent by botnets which are the actual core of the actual problem. I say you're guessing, and not very convincingly either.
So you have two opaque components to filtering. And senders are deliberately left guessing - is the problem REALLY that a mailbox is full, or am I getting greylisted in some odd manner?
Except that most sites return some indication that a mailbox is full. It's just unfortunately in the realm of heuristics. But look into popular mailing list software packages (mailman, majordomo) and you'll see modules for classifying bounce backs heuristically and automatic list removal (or not if it seems like a temporary failure, e.g., mailbox full.)
Filtering stinks. It is resource-intensive, time-consuming, error-prone, and pretty much an example of something that is desperately flagging "the current e-mail system is failing."
And standardized return codes (for example) will make this worse, how?
You want to define standards? Let's define some standard for establishing permission to mail. If we could solve the permission problem, then the filtering wouldn't be such a problem, because there wouldn't need to be as much (or maybe even any). As a user, I want a way to unambiguously allow a specific sender to send me things, "spam" filtering be damned. I also want a way to retract that permission, and have the mail flow from that sender (or any of their "affiliates") to stop.
Sure, but this is pie in the sky. For starters you'd have to get the spammers to conform which would almost certainly take a design which was very difficult not to conform to, it would have to be technologically involuntary. Whitelists are the closest I can think of but they haven't been very popular and for good reasons. Anyhow, the entire planet awaits your design. A set of standardized return codes was carefully chosen by me as something which could be (other than the standards process itself) adopted practically overnight and with virtually zero backwards compatability problems (oh there'll always be an exception.)
Right now I've got a solution that allows me to do that, but it requires a significant paradigm change, away from single-e-mail-address.
There's nothing new in disposable, single-use addresses (or credit card numbers for that matter, a different realm) if that's what you mean but if you have something more clever the world (i.e., the big round you see when you look down) is your oyster.
Addressing "standards" of the sort you suggest is relatively meaningless in the bigger picture, I think. Nice, but not that important.
Well, first you'd have to indicate that you actually have a view of the problem which supports such a judgment. At any rate you're quibbling the example as I forewarned. But standardizing receiving MTA fail codes is, I suspect, more useful than you give them credit. It would be some progress at little to no cost in the large. It deals less with spam filtering and more with effective MTA to MTA operation. At least it's sticking to the realm of improving standards in a way that can be accomplished. I don't see how I could have given a better example without a lot of hand-waving and vagaries. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On April 13, 2008 at 14:24 jgreco@ns.sol.net (Joe Greco) wrote:
I would have thought it was obvious, but to see this sort of enlightened ignorance(*) suggests that it isn't: The current methods of spam filtering require a certain level of opaqueness.
Indeed, that must be the problem.
But then you proceed to suggest:
So, on one hand, we have the "filtering by heuristics," which require a level of opaqueness, because if you respond "567 BODY contained www.sex.com, mail blocked" to their mail, you have given the spammer feedback to get around the spam.
Giving the spammer feedback?
In the first place, I think s/he/it knows what domain they're using if they're following bounces at all. Perhaps they have to guess among whether it was the sender, body string, sending MTA, but really that's about it and given one of those four often being randomly generated (sender) and another (sender MTA) deducible by seeing if multiple sources were blocked on the same email...my arithmetic says you're down to about two plus or minus.
In many (even most) cases, that is only useful if you're sending a lot of mail towards a single source, a variable which introduces yet *another* ambiguity, since volume is certainly a factor in blocking decisions. Further, if you look at the average mail message, you have domains based on multiple factors, such as services to do open tracking (1x1/invisible pixels, etc), branding, and many other reasons that there could be more than a single domain in a single message. Further, once you're being blocked, it may be implemented by-IP even though there was some other metric that triggered the block. Having records that allow a sender to go back and unilaterally determine what was amiss may not be considered desirable by the receiving site.
But even that is naive since spammers of the sort anyone should bother worrying about use massive bot armies numbering O(million) and generally, and of necessity, use fire and forget sending techniques.
Do you mean to suggest that your definition of "spammer" only includes senders using massive bot armies? That'd be mostly pill spammers, phishers, and other really shady operators. There are whole other classes of spam and spammer.
Perhaps you have no conception of the amount of spam the major offenders send out. It's on the order of 100B/day, at least.
I have some idea. However, I will concede that my conception of current spam volumes is based mostly on what I'm able to quantify, which is the ~4-8GB/day of spam we receive here.
That's why you and your aunt bessie and all the people on this list get the same exact spam. Because they're being sent out in the hundreds of billions. Per day.
Actually, we see significant variation in spam received per address.
Now, what exactly do you base your interesting theory that spammers analyze return codes to improve their techniques for sending through your own specific (not general) mail blocks? Sure they do some bayesian scrambling and so forth but that's general and will work on zillions of sites running spamassassin or similar so that's worthwhile to them.
I'm sure that if you were to talk to the Postmasters at any major ISP/mail provider, especially ones like AOL, Hotmail, Yahoo, and Earthlink, that you would discover that they're familiar with businesses which claim to be in the business of "enhancing deliverability." However, what I'm saying was pretty much the inverse of the theory that you attribute to me: I'm saying that receivers often do NOT provide feedback detailing the specifics of why a block happened. As a matter of fact, I think I can say that the most common feedback provided in the mail world would be notice of listing on a DNS blocking list, and this is primarily because the default code and examples for implementation usually provide some feedback about the source (or, at least, source DNSBL) of the block. You'll see generic guidance such as the Yahoo! error message that started this thread ("temporarily deferred due to user complaints", IIRC), but that's not particularly helpful, now, is it. It doesn't tell you which user, or how many complaints, etc.
But what, exactly, do you base your interesting theory that if a site returned "567 BODY contained www.sex.com" that spammers in general and such that it's worthy of concern would use this information to tune their efforts?
Because there are businesses out there that claim to do that very sort of thing, except that they do it by actually sending mail and then checking canary e-mail boxes on the receiving site to measure effectiveness of their delivery strategy. Failures result in further tuning. Being able to simply analyze error messages would result in a huge boost for their effectiveness, since they would essentially be able to monitor the deliverability of entire mail runs, rather than assuming that the deliverability percentage of their canaries, plus any open tracking, indicated the actual delivery success rate. I would have expected this to be stunningly obvious to anyone discussing deliverability.
This is not an existence proof, one example is not sufficient, it has to be evidence worthy of concern given O(100 billion) spams per day overwhelmingly sent by botnets which are the actual core of the actual problem.
No, it doesn't. Don't be silly. There are spammers who are flooding the system, and hope to get mail through using sheer bulk. These guys aren't caring to stick around and listen to the result code. They've got their infected PC armies with however many hundreds of threads of spam-blasting gooness they can squeeze out of each, and they're pounding the hell out of recipients. They have a vested interest in not being easy to track back, so that's why we get so much fun broken spam with broken payloads. OBVIOUSLY they're not going to be listening for result codes. But that doesn't mean that every spammer works that way. There are entire e-mail service providers based on the principles of sending vast amounts of non-opt-in email. Spamhaus has a lot of information on the biggest of these. They exist.
I say you're guessing, and not very convincingly either.
I'm not guessing. Go visit Spamhaus.
So you have two opaque components to filtering. And senders are deliberately left guessing - is the problem REALLY that a mailbox is full, or am I getting greylisted in some odd manner?
Except that most sites return some indication that a mailbox is full. It's just unfortunately in the realm of heuristics.
There are sites that return "mailbox full" for a variety of cases.
But look into popular mailing list software packages (mailman, majordomo) and you'll see modules for classifying bounce backs heuristically and automatic list removal (or not if it seems like a temporary failure, e.g., mailbox full.)
Right. Except that it's quite a bit more complex than that. A typical E-Mail Service Provider ("ESP") has an extensive system for dealing with known brokenness at various mailbox providers, and very few ESP's are willing to drop a subscriber from a list for a single bounce. Now, of course, ESP's range from the whitehat (for those who missed it, Rodney Joffe founded "whitehat.com" a long time ago) to the greys, and all the way on down to the blackhats. There are certainly a lot of ESP's that attempt to implement various levels of "opt in" and "permission based" e-mailing, but there are also those that pretty much spam unapologetically. Bounce processing is complicated for them all. Even the blackhats have significant cause to carefully analyze return codes and try to divine some greater meaning, because if they get blocked, their delivery rates go down.
Filtering stinks. It is resource-intensive, time-consuming, error-prone, and pretty much an example of something that is desperately flagging "the current e-mail system is failing."
And standardized return codes (for example) will make this worse, how?
Standardized return codes (assuming any meaningful amount of detail was included) would make it easier for spammers to determine how their mail was being filtered, and to evade accordingly. That's a tragedy, because for legitimate senders, it means that they /also/ do not get automatic feedback on what they could do differently. I *suspect* that avoiding providing too much feedback may be why a certain percentage of e-mail simply vanishes at certain mailbox providers (cough, Hotmail, cough).
You want to define standards? Let's define some standard for establishing permission to mail. If we could solve the permission problem, then the filtering wouldn't be such a problem, because there wouldn't need to be as much (or maybe even any). As a user, I want a way to unambiguously allow a specific sender to send me things, "spam" filtering be damned. I also want a way to retract that permission, and have the mail flow from that sender (or any of their "affiliates") to stop.
Sure, but this is pie in the sky.
Sure. :-)
For starters you'd have to get the spammers to conform which would almost certainly take a design which was very difficult not to conform to, it would have to be technologically involuntary. Whitelists are the closest I can think of but they haven't been very popular and for good reasons.
Sure. The spammers stand to lose. Given a system where end users can revoke permission, they know that end users will. The current system, even at 99% rejection rates, is preferable because they can get through to a small percentage. Unfortunately, legitimate senders suffer under the current model.
Anyhow, the entire planet awaits your design.
I didn't say I had a design. Certainly there are solutions to the problem, but any solution I'm aware of involves paradigm changes of some sort, changes that apparently few are willing to make.
A set of standardized return codes was carefully chosen by me as something which could be (other than the standards process itself) adopted practically overnight and with virtually zero backwards compatability problems (oh there'll always be an exception.)
Sure. Anyone could do this. It's trivial. Perhaps there's a reason that virtually no one implements something like this. (Hm!)
Right now I've got a solution that allows me to do that, but it requires a significant paradigm change, away from single-e-mail-address.
There's nothing new in disposable, single-use addresses (or credit card numbers for that matter, a different realm) if that's what you mean but if you have something more clever the world (i.e., the big round you see when you look down) is your oyster.
I'm currently working towards a model where I deploy an address per site, which isn't a single-use model by any means. As a matter of fact, it's a model that allows that address to be "shared" (even abusively) by the senders, but at the point I decide to revoke permission, permission goes away for _everyone_ sending to that address. So it _is_ disposable, in the conventional sense. It brings the permission control aspect back squarely under my control, not under some random ESP's decision about whether or not to send to me. Consider the benefits for deliverability if a major ISP implemented something like this. Provide a facility for users to be able to get disposable addresses (preferably ones where the "disposable" portion could be handled prior to hitting the mail server, i.e. in DNS), and then guarantee to both users and senders that no mail sent to these addresses would be subject to spam filtering, rate limits, or other arbitrary things, on the basis that the subscriber clearly asked for the material. Revocation of permission would be available to the user, through the simple process of eliminating the DNS record for that particular disposable address. Quite frankly, this is almost the scenario that started me on this in the first place, because I was having such a devil of a time with getting our anti-spam measures to not trip on invoices and other "legitimate" stuff that arrives here, much of which is nearly indistinguishable, at the machine level, from spam. Despite being a viable solution to a large portion of the e-mail deliverability puzzle, my best guess is that no ISP actually wants to incur the cost and support hit of trying to get their users to use such a system. The current system, where users simply sigh and accept that they may not get their e-mail, is apparently preferable. It's certainly easier. Lower the expectations rather than try to fix the problem. That's fine, but then I'd really like them to be honest about it, and just admit that they're not so concerned about actually delivering desired mail as they are about keeping their costs as low as possible (etc.)
Addressing "standards" of the sort you suggest is relatively meaningless in the bigger picture, I think. Nice, but not that important.
Well, first you'd have to indicate that you actually have a view of the problem which supports such a judgment.
At any rate you're quibbling the example as I forewarned.
But standardizing receiving MTA fail codes is, I suspect, more useful than you give them credit. It would be some progress at little to no cost in the large.
By all means, then. Go ahead. You'll amaze me if you can actually get this implemented at any major ISP or mailbox provider. It would be nice for my cold and cynical viewpoints to be disproven, rather than to be proven as too optimistic.
It deals less with spam filtering and more with effective MTA to MTA operation.
That's not how the large ISP/mailbox providers will see it.
At least it's sticking to the realm of improving standards in a way that can be accomplished.
I don't see how I could have given a better example without a lot of hand-waving and vagaries.
Look, I certainly agree that it'd be *nice*, but there are lots of things that are *nice* that aren't going to happen. Shall we beat the BCP38 horse any further? There's a long history of things that would be nice that never come to pass. I've already written off reliable deliverability at large ISP's as one of those things. I'm now looking towards solutions to enable reliable deliverability at smaller sites where principles might still matter enough that people haven't completely written off e-mail as unusable. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Massive quoting gets old fast so I'll try to summarize and if I misrepresent your POV in any way my profuse apologies in advance. First and foremost let me say that if we had a vote here tomorrow on the spam problem I suspect you'd win but that's because most people, even (especially) people who believe themselves to be technically knowledgeable, hold a lot of misconceptions about spam. So much for democracy. I say the core problem in spam are the botnets capable of delivering on the order of 100 billion msgs/day. You say there are other kinds of spammers. I'll agree but if we got rid of or incapacitated the massive botnets that would be a trickle, manageable, and hardly be worth fussing about, particularly on an operational list. The reason is that without the botnets the spammers don't have address mobility. You could just block their servers. But if we don't agree on those points then we're talking past each other. I assert that the problem are the massive O(100B) botnet spammers and they simply don't have the resources or interest really (because they don't have the resources or business model) to do things like analyze return codes etc as you describe. So it's doubtful to me that returning more meaningful return codes in SMTP rejections would be of much use to them. It's also not of much use to them, as I previously described, even if they tried. They could deduce about the same information for about the same "price" without the return codes. But any such return codes should be voluntary, particularly the details, and a receiving MTA should be free to respond with as much or as little information as they are comfortable with right down to the big red button, "421 it just ain't happenin' bub!" But it was just an example of how perhaps some standards, particularly regarding mail rejection, might help operationally. I'm not pushing the particular example I gave of extending status codes. Also, again I can't claim to know what you're working on, but there are quite a few "disposable" address systems in production which use various variations such as one per sender, one per message, change it only when you want to, etc. But maybe you have something better, I encourage you to pursue your vision. And, finally, one quote:
I didn't say I had a design. Certainly there are solutions to the problem, but any solution I'm aware of involves paradigm changes of some sort, changes that apparently few are willing to make.
Gosh if you know of any FUSSP* whose only problem is that it requires everyone on the internet to abandon SMTP entirely or similar by all means share it. Unfortunately this is a common hand-wave, "oh we could get rid of spam overnight but it would require changes to (SMTP, usually) which would take a decade or more to implement, if at all!" Well, since it's already BEEN a decade or more that we've all been fussing about spam in a big way maybe we should have listened to people with a secret plan to end the war back in 1998. So I'm here to tell ya I'll listen to it now and I suspect so will a lot of others. * FUSSP - Final and Ultimate Solution to the Spam Problem. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Apr 13, 2008, at 5:04 PM, Barry Shein wrote:
Massive quoting gets old fast so I'll try to summarize and if I misrepresent your POV in any way my profuse apologies in advance.
First and foremost let me say that if we had a vote here tomorrow on the spam problem I suspect you'd win but that's because most people, even (especially) people who believe themselves to be technically knowledgeable, hold a lot of misconceptions about spam. So much for democracy.
I say the core problem in spam are the botnets capable of delivering on the order of 100 billion msgs/day.
You say there are other kinds of spammers.
I'll agree but if we got rid of or incapacitated the massive botnets that would be a trickle, manageable, and hardly be worth fussing about, particularly on an operational list.
The reason is that without the botnets the spammers don't have address mobility. You could just block their servers.
Address mobility doesn't buy you that much. It's relatively easy to mechanically detect, and block, IP addresses that source mail solely from spam- related botnets. (Not easy in the absolute sense, but easier than other problems and, mostly, a solved one). Botnet sourced mail generally doesn't get seen much by recipients at ISPs with competent spam filtering. It sure can cause other operational problems, but in terms of being a "spam problem" it's not the biggest one out there. Blocking unwanted mail from sources that send a mixture of wanted and unwanted mail, while still allowing the wanted mail through is extremely difficult, and a much, much harder problem for spam mitigation to solve. And those are primarily the non-botnet sources. Spam filtering at real ISPs with real recipients has to deal with the fact that recipients do want to read some of the mail they're sent from Gmail, Yahoo Groups, Topica and suchlike. Cheers, Steve
Massive quoting gets old fast so I'll try to summarize and if I misrepresent your POV in any way my profuse apologies in advance.
First and foremost let me say that if we had a vote here tomorrow on the spam problem I suspect you'd win but that's because most people, even (especially) people who believe themselves to be technically knowledgeable, hold a lot of misconceptions about spam. So much for democracy.
I say the core problem in spam are the botnets capable of delivering on the order of 100 billion msgs/day.
You say there are other kinds of spammers.
I'll agree but if we got rid of or incapacitated the massive botnets that would be a trickle, manageable, and hardly be worth fussing about, particularly on an operational list.
That's not quite true. The spam problem predates the massive botnets. Massive botnets are rather a recent thing. *A* core problem *for engineering purposes* is that botnets are capable of delivering an essentially unlimited flood of source material for our mail systems. This is a primary target for anti-spam efforts at the major ISP's, and certainly many of them have a lot of experience in trying to stem this highly effective and nonstop DDoS attack on the e-mail system. I do not believe that anyone seriously disagrees with that. However, the average user has different problems. First off, let me state this as a prerequisite for any further discussion. E-mail has to be perceived, by the users, as a beneficial tool, one that they can rely on for the things that they choose to do. If you disagree with this, then any further discussion is meaningless, because we do not share a common view of what the e-mail system needs to be. You would not be the only person to perceive e-mail in a different manner, if you did. To be sure, there are people who perceive it as something that is trivial, in the class of IM or IRC protocols, for example. I view it as something I'd like to work at least as reliably as the US Post. So, here are some additional problems. These are not botnet problems, but rather user problems with the e-mail system. Users cannot reliably receive e-mail that they have asked to receive. For example, receiving receipts from a vendor. Users cannot be assured that the e-mail that they've received is from the sender that it appears to be. Users cannot know if the mail that they've sent has been received by the dodgy freemail hoster that their friend is on. Users cannot withdraw permission to send from an abusive sender. They are finding their address shared with others, or are unable to unsub, or whatever. These are all significant problems with the current e-mail implementation. They do not represent DDoS-class problems. However, they do represent a massive set of problems that are driving users away from e-mail. If it is allowed to continue, our FUSSP can be to simply block all port 25, as SMTP will become irrelevant. Yes, that's a bit dramatic, but it's also the way things are headed.
The reason is that without the botnets the spammers don't have address mobility. You could just block their servers.
That's demonstrably false, and displays a gross ignorance of both historical and current spammer modes of operation. It is exceedingly common for hosting providers to receive requests from clients to be allocated many noncontiguous IP addresses out of a number of /24's, and these requests are honored by many of the seedier providers. This has been the case for years. Some of them even attempt to justify it by claiming that they need it for purposes of affecting Google advertising (for example). See http://www.spamhaus.org/faq/answers.lasso?section=Glossary#233 to learn more about snowshoe spamming, and related techniques.
But if we don't agree on those points then we're talking past each other.
We don't agree on some of them, that's for sure.
I assert that the problem are the massive O(100B) botnet spammers and they simply don't have the resources or interest really (because they don't have the resources or business model) to do things like analyze return codes etc as you describe.
That's _a_ problem, but it is hardly the only problem pressing in on the e-mail system. Were this the only problem, it would be easiest to solve it by whitelisting legitimate senders, probably in combination with some variation of the Spamhaus PBL system, and winding up with a restrictive version of SMTP that requires you to somehow be authorized to send e-mail. Variations on this have been less than completely successful. It is a monumental undertaking, but it /could/ be done. It wouldn't solve the problem, however.
So it's doubtful to me that returning more meaningful return codes in SMTP rejections would be of much use to them.
Of course not - to them.
It's also not of much use to them, as I previously described, even if they tried. They could deduce about the same information for about the same "price" without the return codes.
Again - to them. But they're hardly the only class of spammers. I realize it's convenient to ignore that fact for the purposes of this discussion, since it supports your argument while ignoring the fact that other spammers would mine a lot of useful information out of such messages.
But any such return codes should be voluntary,
And they are. To the best of my knowledge, you can put pretty much any crud you like after the "### ", and if anybody wanted to return this data, they would be doing it today.
particularly the details, and a receiving MTA should be free to respond with as much or as little information as they are comfortable with right down to the big red button, "421 it just ain't happenin' bub!"
But it was just an example of how perhaps some standards, particularly regarding mail rejection, might help operationally. I'm not pushing the particular example I gave of extending status codes.
Also, again I can't claim to know what you're working on, but there are quite a few "disposable" address systems in production which use various variations such as one per sender, one per message, change it only when you want to, etc. But maybe you have something better, I encourage you to pursue your vision.
No. The difference to my solution is simply that it solves all the problems I outlined when I wanted to solve the problem I started with - finding a clean way to be able to exempt senders from anti-spam checks that they frequently fell afoul of. But then again, I am merely saying that there are solutions capable, but that they all seem to require some paradigm shift.
And, finally, one quote:
I didn't say I had a design. Certainly there are solutions to the problem, but any solution I'm aware of involves paradigm changes of some sort, changes that apparently few are willing to make.
Gosh if you know of any FUSSP* whose only problem is that it requires everyone on the internet to abandon SMTP entirely or similar by all means share it.
That was kind of the nifty part to my solution: it didn't require any changes at any sender's site. By accepting some tradeoffs, I was able to compartmentalize all the permission issues as functions controlled by the receiving site.
Unfortunately this is a common hand-wave, "oh we could get rid of spam overnight but it would require changes to (SMTP, usually) which would take a decade or more to implement, if at all!"
Well, since it's already BEEN a decade or more that we've all been fussing about spam in a big way maybe we should have listened to people with a secret plan to end the war back in 1998. So I'm here to tell ya I'll listen to it now and I suspect so will a lot of others.
If we cannot have a flag day for the e-mail system, and obviously, duh, we cannot have a flag day for the e-mail system, we have to look at other changes. That's too big a paradigm shift. My solution is a comprehensive solution to the permission problem, which is a root issue in the fight against spam, but it is based on a paradigm shift that ISP's are unwilling to underwrite - dealing with per-correspondent addresses. This has challenges associated with it, primarily related to educating users how to use it, and then getting users to commit to actually doing so. That's not TOO big a paradigm shift, since it's completely backwards- compatible and managed at the receiving site without any support required anywhere else in the e-mail system, but since service providers aren't interested in it, it is a non-starter. Were it interesting, it wouldn't be that tough to support relatively transparently via plugins into modern browsers such as Firefox and Thunderbird. But it is a LARGE paradigm shift, and it doesn't even solve every problem with the e-mail system. I am unconvinced that there aren't smaller potential paradigm shifts that could be made. However... It is exceedingly clear to me that service providers prefer to treat the spam problem in a statistical manner. It offers fairly good results (if you consider ~90%-99% accuracy to be acceptable) but doesn't actually do anything for users who need e-mail that they can actually rely on. It's cheap (relatively speaking) and the support costs can be made to be cheap.
* FUSSP - Final and Ultimate Solution to the Spam Problem.
Shoot all the spammers? :-) ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Sun, Apr 13, 2008, Joe Greco wrote:
browsers such as Firefox and Thunderbird. But it is a LARGE paradigm shift, and it doesn't even solve every problem with the e-mail system.
I am unconvinced that there aren't smaller potential paradigm shifts that could be made. However...
There already has been a paradigm shift. University students ("college" for you 'merkins) use facebook, myspace (less now, thankfully!) and IMs as their primary online communication method. A number of students at my university use email purely because the university uses it for internal systems and communication, and use the above for everything else. I think you'll find that "we" are the paradigm shift that needs to happen. The younger people have already moved on. :) Adrian
On Sun, Apr 13, 2008, Joe Greco wrote:
browsers such as Firefox and Thunderbird. But it is a LARGE paradigm shift, and it doesn't even solve every problem with the e-mail system.
I am unconvinced that there aren't smaller potential paradigm shifts that could be made. However...
There already has been a paradigm shift. University students ("college" for you 'merkins) use facebook, myspace (less now, thankfully!) and IMs as their primary online communication method. A number of students at my university use email purely because the university uses it for internal systems and communication, and use the above for everything else.
I think you'll find that "we" are the paradigm shift that needs to happen. The younger people have already moved on. :)
I believe this is functionally equivalent to the "block 25 and consider SMTP dead" FUSSP. It's worth noting that each "newer" system is being systematically attacked as well. It isn't really a solution, it's just changing problem platforms. The abuse remains. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Sun, Apr 13, 2008, Joe Greco wrote:
I believe this is functionally equivalent to the "block 25 and consider SMTP dead" FUSSP.
It's worth noting that each "newer" system is being systematically attacked as well. It isn't really a solution, it's just changing problem platforms. The abuse remains.
Yes, but the ownership of the problem is better defined for messages -inside- a system. If you've got tens of millions of users on your IM service, you can start using statistical techniques on your data to identify likely spam/ham, and (very importantly) you are able to cut individual users off if they're doing something nasty. Users can't "fake" their identity like they can with email. There's no requirement for "broadcasting" messages a la email lists (which btw is touted as one of those "things that break" when various anti-spam verify-sender proposals come up.) Besides - google has a large enough cross section of users' email to do these tricks. I'd love to be a fly on the wall at google for just this reason .. Adrian
On Sun, Apr 13, 2008, Joe Greco wrote:
I believe this is functionally equivalent to the "block 25 and consider SMTP dead" FUSSP.
It's worth noting that each "newer" system is being systematically attacked as well. It isn't really a solution, it's just changing problem platforms. The abuse remains.
Yes, but the ownership of the problem is better defined for messages -inside- a system.
If you've got tens of millions of users on your IM service, you can start using statistical techniques on your data to identify likely spam/ham, and (very importantly) you are able to cut individual users off if they're doing something nasty. Users can't "fake" their identity like they can with email. There's no requirement for "broadcasting" messages a la email lists (which btw is touted as one of those "things that break" when various anti-spam verify-sender proposals come up.)
Besides - google has a large enough cross section of users' email to do these tricks. I'd love to be a fly on the wall at google for just this reason ..
Few of these systems have actually been demonstrated to be invulnerable to abuse. As a matter of fact, I just saw someone from LinkedIn asking about techniques for mitigating abuse. When it's relatively cheap (think: economically attractive in excessively poor countries with high unemployment) to hire human labor, or even to engineer CAPTCHA evasion systems where you have one of these wonderful billion-node-botnets available, it becomes feasible to get your message out. Statistically, there will be some holes. You only need a very small success rate. The relative anonymity offered by e-mail is a problem, yes, but it is only one challenge to the e-mail architecture. For example, given a realistic way to revoke permission to mail, having an anonymous party send you a message (or even millions of messages) wouldn't be a problem, because you could stop the flow whenever you wanted. The problem is that there isn't a commonly available way to revoke permission to mail. I've posted items in places where e-mail addresses are likely to be scraped or otherwise picked up and later spammed. What amazed me was how cool it was that I could actually post a usable e-mail address and receive comments from random people, and then when the spam began to roll in, I could simply turn off the address, and it doesn't even hit the mailservers. That's the power of being able to revoke permission. The cost? A DNS query and answer anytime some spammer tries to send to that address. But a DNS query was happening anyways... The solution I've implemented here, then, has the interesting quality of moving ownership of the problem of permission within our systems, without also requiring that all correspondents use our local messaging systems (bboard, private messaging, whatever) or having to do ANY work to figure out what's spam vs ham, etc. That's my ultimate reply to your message, by the way. Since it is clear that many other networks have no interest in stemming the flood of trash coming from their operations, and clearly they're not going to be interested in permission schemes that require their involvement, I'd say that solutions that do not rely on other networks cooperating to solve the problem bear the best chance of dealing with the problem. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
AC> Date: Mon, 14 Apr 2008 10:18:40 +0800 AC> From: Adrian Chadd AC> There already has been a paradigm shift. University students AC> ("college" for you 'merkins) use facebook, myspace (less now, AC> thankfully!) and IMs as their primary online communication method. IOW: "Must establish trust OOB before communication is allowed." Deny-by-default is not a panacea, to be sure. Accept-by-default? Seemingly the greater of the evils. Providers and end-users alike both are using ad-hoc methods to deal with spam as best they can. United we stand, divided we fall, yadda yadda. Here's a thought: Google has massive resources. Their searches deal extensively with graph theory, traversal, et cetera. Is it any wonder that they launched Orkut? And why Gmail required an "invite" for so long? Ever consider that a Gmail username found reading a Blogspot blog might be considered a sign of similar interest, perhaps even trust? It takes neither a rocket scientist nor a conspiracy theorist to conclude that Google is working on the "trust network" problem internally. Others probably are as well; I merely chose a high-profile example. I'll say it again: Providers would be well-served to create _some_ form of trust metric and data exchange. If anyone is interested in cooperating with data formats, source code, other efforts, kooky ideas, or insults, please ping me off-list. It might not lead to anything useful or of critical mass, but it has a better chance than endless regurgitation of (S^2)(D^2) on NANOG-L. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita ________________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
On Mon, 14 Apr 2008, Adrian Chadd wrote:
There already has been a paradigm shift. University students ("college" for you 'merkins) use facebook, myspace (less now, thankfully!) and IMs as their primary online communication method. A number of students at my university use email purely because the university uses it for internal systems and communication, and use the above for everything else.
That is not anything new. ICQ is 10 years old and IRC was common in the early 90s. I would guess plenty of people on this list use (and used back then) both to talk to their friends and team mates. The question is what tool are people going to use to talk to people, government bodies and companies that they are not "friends" with? Even if the person you want to contact is on IM it is likely they will block messages from random people due to the existing Spam problem there. -- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.
SL> Date: Mon, 14 Apr 2008 14:47:12 +1200 (NZST) SL> From: Simon Lyall SL> The question is what tool are people going to use to talk to people, SL> government bodies and companies that they are not "friends" with? SL> Even if the person you want to contact is on IM it is likely they SL> will block messages from random people due to the existing Spam SL> problem there. Hence the need for semi-transitive trust. What tool do people use to exchange packets with networks with which they are not peers? We've already solved some of the same underlying principles. Red car, blue car; both are built the same. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita ________________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
On Mon, Apr 14, 2008, Simon Lyall wrote:
That is not anything new. ICQ is 10 years old and IRC was common in the early 90s. I would guess plenty of people on this list use (and used back then) both to talk to their friends and team mates.
There's a difference here. In the 90's we used IRC and email. Today people use IM applications and web forums/website IMs. There are students which use almost no email outside of communicating to the university, to the point where they never check their university email. :) In fact, the students complain that they're receiving craploads of email from the university and related groups for stuff they don't want - a microcosm of spam on one campus. :) Adrian
On Sun, Apr 13, 2008 at 08:04:12PM -0400, Barry Shein wrote: A number of things that are true, including:
I say the core problem in spam are the botnets capable of delivering on the order of 100 billion msgs/day.
But I say the core problem is deeper. Spam is merely a symptom of an underlying problem. (I'll admit that I often use the phrase "spam problem" but that's somewhat misleading.) The problem is pervasive poor security. Those botnets would not exist were it not for nearly-ubiquitous deployment of an operating system that cannot be secured -- and we know this because we've seen its own vendor repeatedly try and repeatedly fail. But a miserable excuse for an OS is just one of the causes; others have been covered by essays like Marcus Ranum's "Six Dumbest Ideas in Security", so I won't attempt to enumerate them all. That underlying security problem gives us many symptoms: spam, phishing, typosquatting, DDoS attacks, adware, spyware, viruses, worms, data loss incidents, web site defacements, search engine gaming, DNS cache poisoning, and a long list of others. Dealing with symptoms is good: it makes the patient feel better. But it shouldn't be confused with treatment of the disease. Even if we could snap our fingers and stop all spam permanently tomorrow (a) it wouldn't do us much good and (b) some other symptom would evolve to fill its niche in the abuse ecosystem. A secondary point that actually might be more important: We (and I really do mean 'we" because I've had a hand in this too) have compounded our problems by our collective response -- summed up beautifully on this very mailing list a while back thusly: If you give people the means to hurt you, and they do it, and you take no action except to continue giving them the means to hurt you, and they take no action except to keep hurting you, then one of the ways you can describe the situation is "it isn't scaling well". --- Paul Vixie on NANOG We need to hold ourselves accountable for the security problems in our own operations, and then we need to hold each other accountable. This is very different from our strategy to date -- which, I submit, has thoroughly proven itself to be a colossal failure. ---Rsk
On Sun, Apr 13, 2008 at 11:48:31PM -0400, Rich Kulawiec wrote:
On Sun, Apr 13, 2008 at 08:04:12PM -0400, Barry Shein wrote: A number of things that are true, including:
I say the core problem in spam are the botnets capable of delivering on the order of 100 billion msgs/day.
But I say the core problem is deeper. Spam is merely a symptom of an underlying problem. (I'll admit that I often use the phrase "spam problem" but that's somewhat misleading.)
The problem is pervasive poor security. Those botnets would not exist were it not for nearly-ubiquitous deployment of an operating system that cannot be secured -- and we know this because we've seen its own vendor repeatedly try and repeatedly fail. But a miserable excuse for an OS is just one of the causes; others have been covered by essays like Marcus Ranum's "Six Dumbest Ideas in Security", so I won't attempt to enumerate them all.
Is there a (nontrivial) OS that can be secured inexpensively, ie. for the price that is paid for by shoppers at your local big box outlet? To me, that's as much the problem as anything else that's been written so far. The Internet is what it is largely because that is what the users (collectively) will pay for. Furthermore, it's not so much the OS as it is the applications, which arguably might be more securable if Joe and Jane User took the time to enable the security features that are available for the OSes they buy. But that doesn't happen. I don't blame Joe and Jane User; most nontechnical people do not view their home or work systems as something more than an appliance for getting work done or personal entertainment.
A secondary point that actually might be more important:
We (and I really do mean 'we" because I've had a hand in this too) have compounded our problems by our collective response -- summed up beautifully on this very mailing list a while back thusly:
If you give people the means to hurt you, and they do it, and you take no action except to continue giving them the means to hurt you, and they take no action except to keep hurting you, then one of the ways you can describe the situation is "it isn't scaling well". --- Paul Vixie on NANOG
We need to hold ourselves accountable for the security problems in our own operations, and then we need to hold each other accountable. This is very different from our strategy to date -- which, I submit, has thoroughly proven itself to be a colossal failure.
One of the things I like about this list is that it consists of people and organizations who DO hold themselves accountable. But as long as it's not the collective will of the Internet to operate securely, not much will change. --gregbo
if we got rid of or incapacitated the massive botnets that would be a trickle, manageable, and hardly be worth fussing about, particularly on an operational list.
this presumes non-inventive spammers, which i fear is not the case. but it sure would be a good place to start :) randy
On Apr 13, 2008, at 2:24 PM, Joe Greco wrote:
For example, I feel very strongly that if a user signs up for a list, and then doesn't like it, it isn't the sender's fault, and the mail isn't spam. Now, if the user revokes permission to mail, and the sender keeps sending, that's covered as spam under most reasonable definitions, but that's not what we're talking about here.
To expect senders to have psychic knowledge of what any individual recipient is or is not going to like is insane. Yet that's what current expectations appear to boil down to.
This is actually becoming a method some groups are using to attempt to censor others. This happened to one of our customers a while back: Site A publishes some things that Group B finds objectionable. Group B wants to get it removed, but it's not illegal, against the hosting company's TOS or copyright infringement. Group B tells all of it's members to go to Site A and sign up for A's discussion forum, using as many email addresses as they own. A user registers for an account (one email sent to the user to confirm their email address). The user clicks the confirmation link, then gets an introductory email. The user then does everything possible on the site that could generate emails. Password changes. "Notify me by email when the forum has a new post" activated. Sending private messages to each other. Etc. When they've got thousands of users signed up, each with between 6 and 20 emails from Site A, Group B tells all of its users to go through all the emails and click "Report as Spam" on every one of them. Every mail provider out there suddenly sees tens of thousands of reported spams coming from Site A from a wide range of people, and can independently verify that other sources are seeing elevated levels of spam from Site A's mail server. Everyone blocks mail from Site A, thinking it's a spam source. This took an insane amount of time to sort out. If the organizer of "Group B" hadn't emailed me personally confirming (and bragging) about what they had done, I still probably wouldn't have believed it. Our AOL feedback loop took days to go through, and contacting every blacklist we had our mail server entered on and convincing them of our story was difficult to put it mildly. And to make this mildly on- topic, we resolved this somewhat quickly with every provider except Yahoo - which never responded to any of our emails or form submissions. Then there are the users who apparently think the "Report as Spam" button is like a spare for the "Delete" button, and use them interchangeably... We regularly have users who sign up for a mailing list, click the opt-in confirmation link, then report the confirmation email as spam. We remove them from the mailing list, then they complain they aren't getting their list anymore. We reply back explaining why they were removed, and they report our reply as spam. -- Kevin
Filtering stinks. It is resource-intensive, time-consuming, error-prone, and pretty much an example of something that is desperately flagging "the current e-mail system is failing."
Hear, hear!
You want to define standards? Let's define some standard for establishing permission to mail. If we could solve the permission problem, then the filtering wouldn't be such a problem, because there wouldn't need to be as much (or maybe even any). As a user, I want a way to unambiguously allow a specific sender to send me things, "spam" filtering be damned. I also want a way to retract that permission, and have the mail flow from that sender (or any of their "affiliates") to stop.
Right now I've got a solution that allows me to do that, but it requires a significant paradigm change, away from single-e-mail-address.
In general, your "permission to send" idea is a good one to put in the requirements list for a standard email architecture. But your particular solution stinks because it simply adds another bandage to a creaky old email architecture that is long past its sell-by date. IMHO, the only way that Internet email can be cleaned up is to create an entirely new email architecture using an entirely new set of protcols with entirely new port assignments and no attempt whatsoever to maintain reverse compatibility with the existing architecture. That is a fair piece of work and requires a lot of people to get their heads out of the box and apply some creativity. Many will say that the effort is doomed before it starts because it is not compatible with what went before. I don't buy that argument at all. In any case, a new architecture won't come about until we have some clarity of the requirements of the new architecture. And that probably has to be hashed out somewhere else, not on any existing mailing list. --Michael Dillon
You want to define standards? Let's define some standard for establishing permission to mail. If we could solve the permission problem, then the filtering wouldn't be such a problem, because there wouldn't need to be as much (or maybe even any). As a user, I want a way to unambiguously allow a specific sender to send me things, "spam" filtering be damned. I also want a way to retract that permission, and have the mail flow from that sender (or any of their "affiliates") to stop.
Right now I've got a solution that allows me to do that, but it requires a significant paradigm change, away from single-e-mail-address.
In general, your "permission to send" idea is a good one to put in the requirements list for a standard email architecture. But your particular solution stinks because it simply adds another bandage to a creaky old email architecture that is long past its sell-by date.
Yes. I'm well aware of that. My requirements list included that my solution be able to actually /fix/ something with /today's/ architecture; this is a practical implementation to solve a real problem, which was that I was tired of vendor mail being confused for spam. So, yes, it stinks when compared to the concept of a shiny new mail architecture. However, it currently works and is successfully whitelisting the things I intended. I just received a message from a tool battery distributor that some batteries I ordered months ago are finally shipping. It was crappy HTML, and I would normally have completely missed it - probably even forgetting that we had ordered them, certainly not recognizing the "From" line it came from. It's a success story. Rare. You are welcome to scoff at it as being a stinky bandaid on a creaky mail system.
IMHO, the only way that Internet email can be cleaned up is to create an entirely new email architecture using an entirely new set of protcols with entirely new port assignments and no attempt whatsoever to maintain reverse compatibility with the existing architecture. That is a fair piece of work and requires a lot of people to get their heads out of the box and apply some creativity. Many will say that the effort is doomed before it starts because it is not compatible with what went before. I don't buy that argument at all.
In any case, a new architecture won't come about until we have some clarity of the requirements of the new architecture. And that probably has to be hashed out somewhere else, not on any existing mailing list.
If such a discussion does come about, I want people to understand that user-controlled permission is a much better fix than arbitrary spam filtering steps. There's a lot of inertia in the traditional spam filtering advice, and a certain amount of resistance to considering that the status quo does not represent e-mail nirvana. Think of it as making that "unsubscribe" at the bottom of any marketing e-mail actually work, without argument, without risk. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Folks, Can we wrap the mail threads up or at least move them over to their respective best-places like zorch, nsp-sec, spam-l, asrg, or yet-another-favorite-list-for-spam-religion? We've gone far beyond typical mass-mail operations. Best Regards, Marty -- Martin Hannigan http://www.verneglobal.com/ Verne Global Datacenters e: hannigan@verneglobal.com Keflavik, Iceland p: +16178216079
Can we wrap the mail threads up
actually, i am still learning from some of them. i have a hypothesis to add nanog list volume is proportional to S + E where S is the amount of Slack time the active members have and E is the existence of a significant Event in the absence of a significant event, volume is directly driven by the amount of free time we have at the tube. as there is no event to discuss, we will discuss whatever is kinda interesting, often the same subjects. after all, this is a discussion forum, not a current news desk. if an operational event ocurrs, discussion of it quickly predominates over the S component. if we could watch this happening, we might even learn something interesting about information flow in our culture, as the wavefront of the E information causes posters attention to move. and, in the absence of an E, and S being diverted to to actual paid work, volume goes down. as pfs mentioned this eve, some time in the last months, the shortage of E and S was so severe that someone posted an "is the list working" test message. randy
-----Original Message----- From: Randy Bush [mailto:randy@psg.com] Sent: Monday, April 14, 2008 12:56 PM To: Martin Hannigan Cc: nanog@merit.edu Subject: nanog volume (was: Problems sending mail to yahoo?)
Can we wrap the mail threads up
actually, i am still learning from some of them.
Great, I'll stop the world. -M<
On Sun, 13 Apr 2008, Barry Shein wrote:
For example, and it's only an example don't quibble the example, defining a list of return SMTP codes which are actually specific and meaningful like (let's assume they should be 5xx, maybe 7xx would be a better start? Policy failure codes) [...] and so on, a taxonomy which could then at least be dealt with intelligently by sending MTAs and supporting software rather than each side cooking up their own stuff.
See RFC 3463. Unfortunately it doesn't help much to solve the problem it was designed for. I ranted about this a while back... http://www.ietf.org/mail-archive/web/ima/current/msg00588.html Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ BAILEY: NORTHWESTERLY 6 TO GALE 8, VEERING SOUTHEASTERLY 4 OR 5. MODERATE OR ROUGH. RAIN OR SHOWERS, THEN FAIR. MODERATE OR GOOD.
participants (20)
-
Adrian Chadd -
Barry Shein -
Dave Dennis -
Edward B. DREGER -
Geo. -
Greg Skinner -
Joe Greco -
Kevin Day -
Martin Hannigan -
michael.dillon@bt.com -
Peter Dambier -
Randy Bush -
Raymond L. Corbin -
Rich Kulawiec -
Rob Szarka -
Roger Marquis -
Simon Lyall -
Steve Atkins -
Suresh Ramasubramanian -
Tony Finch