Re: Despamming wholesale dialup
To address this i have proposed installing filters that will only allow these folks to connect to port 25 of the ISP that has bought the ports. This way they are not able to relay off of anyone elses machine
The problem is for companies like ours that live by selling mail acounts to users of other ISPs. They need POP and SMTP access to our mail servers, from whereever they are calling. We are running sendmail v8.9.1 with all the anti-relay stuff and RBL besides. The problem you have is the same one we have for secured SMTP, maybe easier. How do you tell the site is secure? In this case testing for open relays is well known.
What I really suggest, and this takes some work on your part, is to contact the site's admin and inform them of their open-relay status. If they won't close the relay, block them. Alternatively, you can assume that if they haven't gotten their relays closed by now they are too clue-less to do so and block them immediately, with notification.
The problem is when the spam-bastard isn't relaying. We've been getting thousands of messages every week from spammers who buy dialup from various places, then connect directly to the destination mail server to deliver the mail. That's what this prevents. I don't know of any other method that does. An interesting answer to the problem you discussed above was suggested by somebody from the EFF at a spam BOF at USENIX this summer. He suggested that by default, you filter on port 25. But if somebody needs access for legitimate reasons, or even if they don't, have a letter they can fill out, sign, and send in which states that they will not send spam, subject to a $500/message penalty. Then if they do, just bill them. An alternative for you would be to run a mail server on a different port... -------Scott.
First Harold outlined this plan for AGIS modems rented to ISPs: To address this i have proposed installing filters that will only allow these folks to connect to port 25 of the ISP that has bought the ports. This way they are not able to relay off of anyone elses machine Then Roeland recommended: What I really suggest, and this takes some work on your part, is to contact the site's admin and inform them of their open-relay status. We do this now. When a site is blocked by our subscription to ORBS, i send them a nice friendly note, admin to admin. How many? A couple hundred a month. Some fix it promptly. Some send me a nice thank you note. Most don't (do either one). And more: If they won't close the relay, block them. Alternatively, you can assume that if they haven't gotten their relays closed by now they are too clue-less to do so and block them immediately, with notification. Sometimes we get complaints from the ORBS blocked ISP's customer (via my customers). Got two recently from customers of some Dallas and Houston based ISPs. We notified these ISPs 1 and 2 months ago respectively. Clue deficient, or priorities skewed? If they would just call me and tell me when they will fix it, we could make arrangements. Then Scott reiterated: The problem is when the spam-bastard isn't relaying. We've been getting thousands of messages every week from spammers who buy dialup from various places, then connect directly to the destination mail server to deliver the mail. That's what this prevents. I don't know of any other method that does. If all the ISPs won't do what Harold has proposed, then we have no choice in our own self defense, but to block port 25 from all the modems by IP (and open up corresponding holes for responsible SMTP servers in the same netblock). But my question is - Would responsible netops be willing to give me a list of their (non-relaying) SMTP servers? Anything toward fixing the problem is appreciated. -bryan abuse@capnet.state.tx.us T:512.936.2248 F:512.463.3456
Bryan Bradsby summarized:
First Harold outlined this plan for AGIS modems rented to ISPs:
To address this i have proposed installing filters that will only allow these folks to connect to port 25 of the ISP that has bought the ports. This way they are not able to relay off of anyone elses machine
Then Roeland recommended:
What I really suggest, and this takes some work on your part, is to contact the site's admin and inform them of their open-relay status.
These are actually two separate issues: 1. Open SMTP relays 2. Dialup ports open to all SMTP servers While these two issues do interact, and a perfect solution to one of them makes the other much less of an impact, they do both need to be addressed as distinct issues. Making sure that the SMTP servers that a given dialup user is supposed to use are closed for relaying (but they have to be open to this dialup user to be able to send legitimate mail to anyone) does not solve issue #2 relative to the dialup user. If the dialup user is a spammer using one of the bulk mailing packages, that user will be contacting SMTP servers other than at his ISP in order to "spread the load" and reduce his costs. What Harold has proposed is to make sure the dialup user is only able to use the SMTP servers of his dialup ISP. Roeland points out that many dialup users need to access the SMTP server of yet another provider they use, but via the dialup of the first. This may be required because the dialup user may be sourcing his mail from a domain he legitimately owns, but which is not recognized by the SMTP server of his dialup ISP.
We do this now. When a site is blocked by our subscription to ORBS, i send them a nice friendly note, admin to admin. How many? A couple hundred a month. Some fix it promptly. Some send me a nice thank you note. Most don't (do either one).
While I do block relaying through my SMTP server (you cannot send to an unrecognized domain from an IP that resolves to an unrecognized domain) and I do block access to SMTP servers other than my own for most dialup users (those known to run their own valid mail servers get an exemption) I do not block known relay SMTP sites. I feel I do not need to do this because I already block my dialup users from all but my own SMTP ports. Since some spammers actually operate by direct contact to the MX server of the intended reci... err... victim, I feel the port blocking is a better solution than open relay blocking. The former is easier to do and the latter, I feel, is more difficult to do. I also do not filter source addresses for my customers on my mail servers. Customers of virtual web services can simply direct their outgoing mail (the "SMTP server" hostname in most mail programs, such as Netscape Communicator) through my SMTP server, smtp.intur.net, if they are a dialup customer of ours. Thus they can have their From/Reply state their domain name, and still send e-mail to anyone on the net, including those at places with open relays (not that I condone this).
Then Scott reiterated:
The problem is when the spam-bastard isn't relaying. We've been getting thousands of messages every week from spammers who buy dialup from various places, then connect directly to the destination mail server to deliver the mail. That's what this prevents. I don't know of any other method that does.
If all the ISPs won't do what Harold has proposed, then we have no choice in our own self defense, but to block port 25 from all the modems by IP (and open up corresponding holes for responsible SMTP servers in the same netblock).
I do this by account wben I generate the RADIUS files from our database (done when a change is detected on each 15 minute config update cycle). Thus, I can enable the hole on a per-account, not per IP, basis. That keeps me from having long access lists.
But my question is - Would responsible netops be willing to give me a list of their (non-relaying) SMTP servers?
I'm curious what such a list would be used for. Would you limit access to just those SMTP servers? Would that not form a rather long access list? -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
On Fri, 30 Oct 1998, Phil Howard wrote:
These are actually two separate issues:
1. Open SMTP relays
2. Dialup ports open to all SMTP servers
While these two issues do interact, and a perfect solution to one of them makes the other much less of an impact, they do both need to be addressed as distinct issues.
Exactly. Attempting to assist responsible netops in closing their open relays addresses issue #1. Send them a respectful, helpful and friendly note. I would like to discuss item #2. See below.
But my question is - Would responsible netops be willing to give me a list of their (non-relaying) SMTP servers?
I'm curious what such a list would be used for. Would you limit access to just those SMTP servers?
Exactly. I would open up port 25 incoming for responsible (not an open relay) SMTP servers. Thus real customers could send their legitmate mail. Block port 25 (only) from all "open modem banks" (TM) to my SMTP servers. If implemented on a large enough scale, the modem user will be 'encouraged' to use the SMTP server supplied with their account. Make each dialup customer go through, and be authenticated by their own SMTP server. Each OMB filter will most likely be a /24 or larger block of IP addresses. The logic is simple. There are more modems than SMTP servers. Block port 25 from the OMBs, open up for corresponding (responsible) SMTP servers. Either an operator directs (by filter) port 25 on his modem banks to his SMTP servers, (preventing OMB), or we do it for him. The intent is a convergence on a suggested Best Practice.
Would that not form a rather long access list?
Perhaps for a router or firewall, but not for a sendmail access.db.
-- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
-bryan abuse@capnet.state.tx.us
NEW SOFTWARE, NOT CONGRESS MAY STOP SPAM (Source: PC World Online) If you're sick of being deluged with junk e-mail, don't look for relief from Congress, where only one pending bill is even close to passage. http://www.idg.net/go.cgi?id=34539 hmm this may be an option worth looking into.... Henry R. Linneweh Bryan Bradsby wrote:
On Fri, 30 Oct 1998, Phil Howard wrote:
These are actually two separate issues:
1. Open SMTP relays
2. Dialup ports open to all SMTP servers
While these two issues do interact, and a perfect solution to one of them makes the other much less of an impact, they do both need to be addressed as distinct issues.
Exactly.
Attempting to assist responsible netops in closing their open relays addresses issue #1. Send them a respectful, helpful and friendly note.
I would like to discuss item #2. See below.
But my question is - Would responsible netops be willing to give me a list of their (non-relaying) SMTP servers?
I'm curious what such a list would be used for. Would you limit access to just those SMTP servers?
Exactly. I would open up port 25 incoming for responsible (not an open relay) SMTP servers. Thus real customers could send their legitmate mail.
Block port 25 (only) from all "open modem banks" (TM) to my SMTP servers. If implemented on a large enough scale, the modem user will be 'encouraged' to use the SMTP server supplied with their account. Make each dialup customer go through, and be authenticated by their own SMTP server.
Each OMB filter will most likely be a /24 or larger block of IP addresses.
The logic is simple. There are more modems than SMTP servers. Block port 25 from the OMBs, open up for corresponding (responsible) SMTP servers.
Either an operator directs (by filter) port 25 on his modem banks to his SMTP servers, (preventing OMB), or we do it for him. The intent is a convergence on a suggested Best Practice.
Would that not form a rather long access list?
Perhaps for a router or firewall, but not for a sendmail access.db.
-- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
-bryan abuse@capnet.state.tx.us
-- ¢4i1å
http://www.brightlight.com/ On Fri, 30 Oct 1998, Henry Linneweh wrote:
NEW SOFTWARE, NOT CONGRESS MAY STOP SPAM (Source: PC World Online) If you're sick of being deluged with junk e-mail, don't look for relief from Congress, where only one pending bill is even close to passage. http://www.idg.net/go.cgi?id=34539
hmm this may be an option worth looking into....
Henry R. Linneweh
Bryan Bradsby wrote:
On Fri, 30 Oct 1998, Phil Howard wrote:
These are actually two separate issues:
1. Open SMTP relays
2. Dialup ports open to all SMTP servers
While these two issues do interact, and a perfect solution to one of them makes the other much less of an impact, they do both need to be addressed as distinct issues.
Exactly.
Attempting to assist responsible netops in closing their open relays addresses issue #1. Send them a respectful, helpful and friendly note.
I would like to discuss item #2. See below.
But my question is - Would responsible netops be willing to give me a list of their (non-relaying) SMTP servers?
I'm curious what such a list would be used for. Would you limit access to just those SMTP servers?
Exactly. I would open up port 25 incoming for responsible (not an open relay) SMTP servers. Thus real customers could send their legitmate mail.
Block port 25 (only) from all "open modem banks" (TM) to my SMTP servers. If implemented on a large enough scale, the modem user will be 'encouraged' to use the SMTP server supplied with their account. Make each dialup customer go through, and be authenticated by their own SMTP server.
Each OMB filter will most likely be a /24 or larger block of IP addresses.
The logic is simple. There are more modems than SMTP servers. Block port 25 from the OMBs, open up for corresponding (responsible) SMTP servers.
Either an operator directs (by filter) port 25 on his modem banks to his SMTP servers, (preventing OMB), or we do it for him. The intent is a convergence on a suggested Best Practice.
Would that not form a rather long access list?
Perhaps for a router or firewall, but not for a sendmail access.db.
-- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
-bryan abuse@capnet.state.tx.us
-- ��4i1�
I would be glad to talk to folks about how the Bright Mail works. I and we think it will be pretty effective in reducing not only incoming spam for users but monitoring and blocking outgoing spam for ISPs that use the product. Tim -- scott w wrote:
On Fri, 30 Oct 1998, Henry Linneweh wrote:
NEW SOFTWARE, NOT CONGRESS MAY STOP SPAM (Source: PC World Online) If you're sick of being deluged with junk e-mail, don't look for relief from Congress, where only one pending bill is even close to passage. http://www.idg.net/go.cgi?id=34539
hmm this may be an option worth looking into....
Henry R. Linneweh
Bryan Bradsby wrote: -- Tim Pozar, Dir. of Operations Bright Light Technologies, Inc. 415.905.5595(w) 915 Cole Street, No. 338 415.905.5188(f) San Francisco, CA 94117 Now hiring Anti-Spam Experts, Sr. Sales Execs, Sys-Admins, and Sr. Product Marketing Mngrs.
scott w wrote:
This product+service appears to only deal with incoming advertising. I do not necessarily want that kind of solution. If my customers want it, I could certainly offer it. I know that I personally would not "opt in" even though I disliked unsolicited advertising in my mail. My greatest concern is not the incoming spam, but the outgoing and relayed spam where the complaints get directed back to me. That is why I took measures to cut off the outgoing spam. We do not offer such services, and since there are ISPs that do, I have no worry about the rights of advertisers. There always will be an ISP somewhere willing to do what it takes to get the business if a market exists. I'm simply not interested in offering to that market. But thanks for the lead about Brightlight. If it turns out to be something of value to us, we may get it. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
Bryan Bradsby wrote:
Block port 25 (only) from all "open modem banks" (TM) to my SMTP servers. If implemented on a large enough scale, the modem user will be 'encouraged' to use the SMTP server supplied with their account. Make each dialup customer go through, and be authenticated by their own SMTP server.
I think I see an additional problem creeping in here. The question is whether a dialup user should use the SMTP server of the facility provider, or of the ISP that actually resells the account. You could have virtual ISP resellers with no facilities at all, but lets take a look at a small ISP that does have facilities, and is reselling dialup to a national provider so his local business customers can have roaming access without calling an 800 number. If the small ISP opens their SMTP server to the IP addresses of the big national dialup provider, which they would have to do in order to be able to handle that roaming customer who could be just about anywhere, will they not also be opening themselves up to being a relay for any spammer that uses any reseller of that national provider? Will not such spammers then have access to every ISP doing reselling via that national one? I think the SMTP server that should be used when dialing that national provider is the SMTP server provided by that national provider, unless some kind of VPN is used (to be more technically correct, use the SMTP server of the provider of IP addressing). Roeland's issue still applies when the dialup customer is using his domain name as the FROM/REPLY. But if the national provider SMTP servers accept any domain name in the FROM/REPLY, and just log the reality as it sees it in the header (e.g. dialup port and time which can be cross checked with the access logs), then anyone can use these dialups, and spammers won't get an advantage of being able to spew their filth to other than the SMTP server of the dialup provider. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
On 30 Oct, Phil Howard wrote:
Bryan Bradsby wrote:
Block port 25 (only) from all "open modem banks" (TM) to my SMTP servers.
The question is whether a dialup user should use the SMTP server of the facility provider, or of the ISP that actually resells the account.
I think the SMTP server that should be used when dialing that national provider is the SMTP server provided by that national provider, unless some kind of VPN is used (to be more technically correct, use the SMTP server of the provider of IP addressing).
Port 25 restrictions don't solve the problem. The real solution is for everyone to start leaning on their server vendors to deliver authenticated SMTP. If you restrict relaying to only work with authenticated connections, the problem goes away for the most part. This solves another problem: mobile users. E.g., if I'm on the road doing corporate mail, I want to connect to my corporate mail server running encrypted SMTP. I certainly don't want my mail sitting on some random ISPs mail hub. I don't expect this to catch on in the client space in any major way until the issue is forced by the servers denying relay services to unauthenticated clients. --lyndon
Lyndon Nerenberg wrote:
Port 25 restrictions don't solve the problem. The real solution is for everyone to start leaning on their server vendors to deliver authenticated SMTP. If you restrict relaying to only work with authenticated connections, the problem goes away for the most part.
Port 25 restrictions did solve the problem. The problem was that we were being used for spamming. It was very expensive for us to deal with it. We cut it off. It worked. It solved the problem. This is simply a fact. These restrictions are certainly not the ultimate solution. But it will take time to get things like authenticated SMTP fully debugged and deployed. In the mean time is it unacceptable to have to deal with the spam complaints.
This solves another problem: mobile users. E.g., if I'm on the road doing corporate mail, I want to connect to my corporate mail server running encrypted SMTP. I certainly don't want my mail sitting on some random ISPs mail hub.
Then with port 25 restrictions, it should encourage them to implement and deploy it sooner. Then can use VPN tunnels, too. The alternatives exist.
I don't expect this to catch on in the client space in any major way until the issue is forced by the servers denying relay services to unauthenticated clients.
With the number of different points of administration for mail servers far exceeding the number of points of administration for dialup servers, it would take far more time and effort to ensure that all servers are closed off when the effort is directed at mail servers than at dialup. That does not mean I would suggest abandoning trying to make mail servers closed off for spammers. What I do propose, and do in practice, is both. Doing both increases the total effectiveness. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
There are solutions available to this problem, the primary one being the "smtp-after-pop" hack that is widely available and fairly widely used. Essentially, issuing a STAT command opens up an SMTP relay window for <admin-definable> minutes, whereupon if the user hasn't issued another STAT in the mean time [e.g. they logged off] the "hole" goes away. We were using that at my last job and it works just fine. At 12:38 PM 10/30/98 -0600, Phil Howard wrote:
Bryan Bradsby wrote:
Block port 25 (only) from all "open modem banks" (TM) to my SMTP servers. If implemented on a large enough scale, the modem user will be 'encouraged' to use the SMTP server supplied with their account. Make each dialup customer go through, and be authenticated by their own SMTP server.
I think I see an additional problem creeping in here.
The question is whether a dialup user should use the SMTP server of the facility provider, or of the ISP that actually resells the account. You could have virtual ISP resellers with no facilities at all, but lets take a look at a small ISP that does have facilities, and is reselling dialup to a national provider so his local business customers can have roaming access without calling an 800 number.
If the small ISP opens their SMTP server to the IP addresses of the big national dialup provider, which they would have to do in order to be able to handle that roaming customer who could be just about anywhere, will they not also be opening themselves up to being a relay for any spammer that uses any reseller of that national provider? Will not such spammers then have access to every ISP doing reselling via that national one?
I think the SMTP server that should be used when dialing that national provider is the SMTP server provided by that national provider, unless some kind of VPN is used (to be more technically correct, use the SMTP server of the provider of IP addressing).
Roeland's issue still applies when the dialup customer is using his domain name as the FROM/REPLY. But if the national provider SMTP servers accept any domain name in the FROM/REPLY, and just log the reality as it sees it in the header (e.g. dialup port and time which can be cross checked with the access logs), then anyone can use these dialups, and spammers won't get an advantage of being able to spew their filth to other than the SMTP server of the dialup provider.
-- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
If the small ISP opens their SMTP server to the IP addresses of the big national dialup provider, which they would have to do in order to be able to handle that roaming customer who could be just about anywhere, will they not also be opening themselves up to being a relay for any spammer that uses any reseller of that national provider? Will not such spammers then have access to every ISP doing reselling via that national one?
How about checking the MAIL FROM: part of the message? If a spammer tries to use an invalid address, the small isp's sendmail can reject it outright.
I think the SMTP server that should be used when dialing that national provider is the SMTP server provided by that national provider, unless some kind of VPN is used (to be more technically correct, use the SMTP server of the provider of IP addressing).
Yes, but how does the user know to change this? A redirection (some policy routing and port fudging will help,) but it may be easier for the visp client to be authenticated in some way, (like a radius scheme that picks up the current remote ip address of the user and allows relay from that address while the user is online.) TERRY
Block port 25 (only) from all "open modem banks" (TM) to my SMTP servers. If implemented on a large enough scale, the modem user will be 'encouraged' to use the SMTP server supplied with their account. Make each dialup customer go through, and be authenticated by their own SMTP server.
How about putting a port 25 redirect on your modem bank? (Catch it coming in, send to your sendmail machine, reject stupid to: lines and idiotic from: lines, etc, etc. Maybe tag the email with an ident from your own system, and make spam tracking real easy...) Once many isp's stop their users from using other people's resources for spam, then maybe the practise will cease? TERRY
On 10/29/98, Bryan Bradsby <Bryan.Bradsby@capnet.state.tx.us> wrote:
We do this now. When a site is blocked by our subscription to ORBS, i send them a nice friendly note, admin to admin. How many? A couple hundred a month. Some fix it promptly. Some send me a nice thank you note. Most don't (do either one).
Quick note about ORBS: there are people ORBS blocks (such as GOL in Japan) which do not have any open relays, and never did. It's purely a personal grudge held by the ORBS operator. Don't rely on ORBS. -- J.D. Falk <jdfalk@cp.net> "A name indicates what we seek. Special Agent In Charge (Abuse Issues) An address indicates where it is. Critical Path, Inc. A route indicates how we get there." -- Jon Postel (1943-1998)
Quick note about ORBS: there are people ORBS blocks (such as GOL in Japan) which do not have any open relays, and never did. It's purely a personal grudge held by the ORBS operator.
Having bought into the "only open relays" and "only automated testing" claims of ORBS, I was doubtful here. I was a bit shocked to find all of 203.216.0.0/16 in the zonefile for ORBS and asked the ORBS maintainer about it. He replied: The administrator 203.216.0.0/16 specifically requested ... actually ... demanded that his address space be added to ORBS and that I forever desist from testing his addresses or notifying him of open relays. I had about 70 open relays listed in that range at that time. Since he requested that the entire space be added to ORBS, I complied. This is the only address space in ORBS that comprises more than one address and which each address has not specifically been tested to be open relays. He attached copies of mail from abuse@gol.ad.jp which more or less request exactly that. Copies are available upon request. I also looked through the zonefile a bit more and found no other wildcards. Apologies to those of you trying to drop the spam thread. Aaron Hopkins Chief Technology Officer Cyberverse, Inc.
participants (11)
-
Bryan Bradsby
-
Derek Balling
-
Henry Linneweh
-
J.D. Falk
-
lists@die.net
-
Lyndon Nerenberg
-
Phil Howard
-
Scott Gifford
-
scott w
-
Terence
-
Tim Pozar