An end to spam through Graphnet

Hi folks,
Some time back before the latest round of cable cuts and BIND
arguments
you may recall that I notified everyone that Graphnet was being
abused to
transit spam. An ugly mess -- between the bounces and the flood
of 'remove' from
angry recepients plus one wise guy who impersonated our marketing
department
it brought a dual cpu sparc20 to its knees at its height, with
over 100mb on the mail queue awaiting re-delivery or more likely
expiration.

We have put an end to this madness on our systems by building and
configuring the very latest Sendmail v8 and BIND 4.9.6 (attempts
to use v8 failed for being too Berkley,
on a Solaris 2.x system -- but don't start arguing that here
please) in combination with
filters on our gateway router. Load has dropped way down on our
sparc20, and hopefully the spammers will go play with someone
else instead of futilely occupying bandwidth on our circuits .

Let this be an object lesson to those of you out there who have
yet to upgrade:
the spammers will find you sooner or later. They walk down every
A record in every zone until they find a victim. They look in
public databases like RIPE to see what mailboxes are registered
for the zone and they use those names to try to get past your
sendmail filters and launch spam in your name (doesn't work on
us, I thought of that trick).
So go forth to www.isc.org and www.sendmail.org and compile.

Dana Hudes
Graphnet

Hi folks,
Some time back before the latest round of cable cuts and BIND
arguments
you may recall that I notified everyone that Graphnet was being
abused to
transit spam. An ugly mess -- between the bounces and the flood
of 'remove' from

yeah,
  I got hit the other day.

We have put an end to this madness on our systems by building and
configuring the very latest Sendmail v8 and BIND 4.9.6 (attempts
to use v8 failed for being too Berkley,
on a Solaris 2.x system -- but don't start arguing that here
please) in combination with
filters on our gateway router. Load has dropped way down on our
sparc20, and hopefully the spammers will go play with someone
else instead of futilely occupying bandwidth on our circuits .

Let this be an object lesson to those of you out there who have
yet to upgrade:
the spammers will find you sooner or later. They walk down every
A record in every zone until they find a victim. They look in
public databases like RIPE to see what mailboxes are registered
for the zone and they use those names to try to get past your
sendmail filters and launch spam in your name (doesn't work on
us, I thought of that trick).
So go forth to www.isc.org and www.sendmail.org and compile.

Can anyone elaborate a little more on the "one true" set of procedures
that one should take to prevent spammers from abusing ones resources.

The current problem that I have is valid customers who are "on the road"
and want to sendmail through my SMTP server when they dial into
att or netcom, before their eudora's used to point their SMTP server
at me, that ain't happenin' after my spam attach so is there some work
around that they can use?

> Let this be an object lesson to those of you out there who have
> yet to upgrade:
> the spammers will find you sooner or later.

  And once they've found you, they will keep on relaying through
  you until you make it impossible for them to do so.

Can anyone elaborate a little more on the "one true" set of procedures
that one should take to prevent spammers from abusing ones resources.

  It varies depending on what your situation is, and how smart
  you expect your customers to be.

The current problem that I have is valid customers who are "on the road"
and want to sendmail through my SMTP server when they dial into
att or netcom, before their eudora's used to point their SMTP server
at me, that ain't happenin' after my spam attach so is there some work
around that they can use?

  The /best/ idea is to have them use a local SMTP server. If
  they can't or won't do that, there are a few recipes floating
  around that let you exempt messages from specific sources; I
  haven't investigated those much, but they're out there.

Can anyone elaborate a little more on the "one true" set of procedures
that one should take to prevent spammers from abusing ones resources.

1. dump sendmail. It can't prevent relaying.

2. install qmail http://www.qmail.org because relaying is disabled right
outr of the box. In fact I had to dig for a while to figure out how to
relay mail to a server behind a firewall.

3. lean *HEAVILY* on the vendors of email client software to *STOP* *THE*
*MADNESS* of using SMTP to send email. They need to do this via the
authenticated POP or IMAP sessions. Standards be damned. If the vendors
can't agree on a standard for doing this then it is less headache to hack
POP and IMAP servers to handle a half dozen proprietary ways of sending
email via POP/IMAP than it is to deal with SPAM relay messes. P.S. get your
customers to lean on their email client vendors as well. In fact, supply
your customers with email addresses at the email client vendors and tell
them to request this enhancement.

IMHO, of course.

Seriously though, don't expect that you can install a simple sendmail
recipe and solve this problem. The best recipe so far comes from Klaus
Assman http://www.informatik.uni-kiel.de/~ca/email/english.html but it
requires some upkeep to do it this way.

Point 3 is the ideal solution and I really do believe that if an
information campaign is waged with the vendors, this really could be done
within a month or two.

The current problem that I have is valid customers who are "on the road"
and want to sendmail through my SMTP server when they dial into
att or netcom, before their eudora's used to point their SMTP server
at me, that ain't happenin' after my spam attach so is there some work
around that they can use?

Basically, you have to have sendmail allow certain email to be relayed
based on whatever you have to identify those customers. Static IPs are
great, no problem. Small corporate LANs with dialin ports are probably OK
because they probably have their SMTP relaying disabled. But if a customer
is roaming with an AOL account then you can't solve the problem. All you
can do is to tell them to use AOL's SMTP servers when they are dialing in
via an AOL account.

I think this discussion is really pushing the bounds of what is on topic
for this list and unfortunately the Eudora Pro I am using does not seem to
support Reply To headers so here are a couple of better mailing lists to
discuss this on.

inet-access - high volume, can be over 200 messages per day, sometimes
                 gets overwhelmed by chit-chat

send a "subscribe" message to inet-access-request@earth.com

IAP - much lower volume list. Some days there is only one or two messages
       but the volume can perk up if there is a hot topic.

send a message reading "subscribe IAP Your Name" to listserv@vma.cc.nd.edu

Please don't reply to this message on the NANOG list. Please change the To
address to either inet-access@earth.com or IAP@vma.cc.nd.edu

Thanks.

had this to say about "Re: An end to spam through Graphnet":

> The current problem that I have is valid customers who are "on the road"
> and want to sendmail through my SMTP server when they dial into
> att or netcom, before their eudora's used to point their SMTP server
> at me, that ain't happenin' after my spam attach so is there some work
> around that they can use?

  The /best/ idea is to have them use a local SMTP server. If
  they can't or won't do that, there are a few recipes floating
  around that let you exempt messages from specific sources; I
  haven't investigated those much, but they're out there.

I implemented these anti-spam rules on the servers I administrate about
three months ago. There was a flood of complaints from people who use
other dialin services, so I put together a list of the SMTP servers for
"the big boys" and also for the local (competing) ISP's in each community
served (I sysadmin ISP's in three states). The list is available to the
customers via web or email. Since then, no complaints.

[ On Fri, August 1, 1997 at 14:32:34 (-0700), Geoff White wrote: ]

Subject: Re: An end to spam through Graphnet

Can anyone elaborate a little more on the "one true" set of procedures
that one should take to prevent spammers from abusing ones resources.

If you're using smail-3 then the latest beta makes prevention of illegal
third party abuse quite trivial in the simplest cases (and the beta to
come defaults to preventing abuse for normal configs).

The current problem that I have is valid customers who are "on the road"
and want to sendmail through my SMTP server when they dial into
att or netcom, before their eudora's used to point their SMTP server
at me, that ain't happenin' after my spam attach so is there some work
around that they can use?

Oi! I'd say "Just say NO!". This is one of the things I was thinking
about for iPass (and in some ways it's already implemented in some of
their custom installs by way of custom authentication their clients
already had in place), but for random joe dial-up providor you're SOL.

Maybe you could provide some form of authenticating SMTP proxy, but I'd
hate to imagine what might have to be done to client software to enable
such a capability.

[ On Fri, August 1, 1997 at 17:10:19 (-0600), John-David Childs wrote: ]

Subject: Re: An end to spam through Graphnet

I implemented these anti-spam rules on the servers I administrate about
three months ago. There was a flood of complaints from people who use
other dialin services, so I put together a list of the SMTP servers for
"the big boys" and also for the local (competing) ISP's in each community
served (I sysadmin ISP's in three states). The list is available to the
customers via web or email. Since then, no complaints.

AH! That's a really good idea! Just help the customer's configure
their mailer to use the particular SMTP server for the dial-up they're
currently on..... For most purposes this should be more than adequate.
It also opens up a market for a little config wizard that can do this
based on the number dialed!

If your customers always use the same ISP, you could use the "Preventing
Relaying Through Your SMTP Port" ruleset provided at

  http://www.sendmail.org/antispam.html

I have sucsessfully implemented this on our system. (It's pretty trivial)

-Matthew

Matthew White
Systems Administrator
Channel 1 Communications
617.864.0100

Actually, they will, at least in some cases, keep trying indefinitely.
All FDT's systems went anti-relay many months ago...yet:

Aug 2 00:00:23 irc sendmail[18812]: Ruleset check_rcpt
(<laibinis%koan.com@irc.aohell.org>) rejection: 571
<laibinis%koan.com@irc.aohell.org>... we do not relay - if you believe
this to be an error, contact support@fdt.net

Someone told me that a spam package was distributed that specifically
targets IRC servers as relays. It would seem they don't bother updating
the list, or their software is so popular that old versions stay in use.

The system above blocks about 3,000 relay attempts per day, every day,
since it got the anti-relay patches months ago.

Welcome to the club.. It's Avalanche and even though we've sense put exim
and relaying protection on the machine, we are still being pounded by
attempts to use the %-hack relays. We've actually contacted the FBI about
it, and they seemed willing to investigate it, but they never got back to
us -- our FBI contacts have kind of faded away.

Spam sucks..

Keith

I just finished a writeup which covers anti-spam methods using:

- route filters
- the sendmail check_* techniques
- Eudora filters

It includes complete example files (available inline or via FTP). I know
when I started to implement the sendmail check_* rules I scratched
my head a bit. And there are plenty of people who've never even seen
a Cisco access-list.

It's available now at:

http://www.sprocket.com/Security/Stopping-UCE.html

The more people running sites who have this information, the better.

I'm sorry but the North American Excuses List is elsewhere.

  What does "we are working on it" mean to you? To me it
  means "We don't want to do anything about it."

  What does "please give us some time to correct the problem"
  mean to you? To me it means "We're stalling for as much time
  as we can get. Just make an exception for us, would you. Maybe
  our exception will just stay there forever. We're working on it,
  you know."

  Spam is the content-destroyer of the Internet. Blocking,
  removing, no-compromising, no-accepting, and rejecting is
  the solution.

  Ehud

I'm sorry but the North American Excuses List is elsewhere.

take a chill pill.

Graham Toal, a TISPA member, replaces routine CHECKCOMPAT (which was
designed to be local code) in conf.c in sendmail with extensive code. His
approach has made Eric Allman's www.sendmail.org page and can be found at
<http://www.gtoal.com/spam/sendmail.html>.

Graham indicates "Anyone else who is not a Tispa member who wishes to use
this code
must request and be given explicit permission from me."

J.D. Falk wrote:

> > Let this be an object lesson to those of you out there who
have
> > yet to upgrade:
> > the spammers will find you sooner or later.

        And once they've found you, they will keep on relaying
through
        you until you make it impossible for them to do so.

Believe it folks! These characters are persistent and once one
finds you the rest follow.

> Can anyone elaborate a little more on the "one true" set of
procedures
> that one should take to prevent spammers from abusing ones
resources.

        It varies depending on what your situation is, and how
smart
        you expect your customers to be.

> The current problem that I have is valid customers who are
"on the road"
> and want to sendmail through my SMTP server when they dial
into
> att or netcom, before their eudora's used to point their SMTP
server
> at me, that ain't happenin' after my spam attach so is there
some work
> around that they can use?

        The /best/ idea is to have them use a local SMTP
server. If
        they can't or won't do that, there are a few recipes
floating
        around that let you exempt messages from specific
sources; I
        haven't investigated those much, but they're out there.

If someone had a fixed IP address I could theoretically allow
that one through my router filters but that's just begging for IP
spoofing.

Ehud,
You are pretty unforgiving. Shall we all watch and when you screw
up rush to filter your blocks? Not every provider has a huge
staff with nothing else to do. Even when one dedicates personnel
to it, not everyone has the experienced unix wizards to make it
happen in no time flat. You might be right to consider blocking
the originators of the spam but then we got hit from a UUNET
dialup port in honolulu among others including a small isp called
cwia not to mention numerous PSI dialups including San Luis
Opisbo.

So go ahead, Ehud, I dare you to block all PSI in 38/8 and the
UUNET dial ports as well.

(And this from huge players who should have implemented filter
rules to prevent their users from doing ip spoofing and from
using mail servers other than UUNET and other authorized
servers).

Given this state of affairs, it seems ludicrous to block someone
like Graphnet .
Hit the 'vanity mail' and 'profit engineering' outfits by all
means. Not companies that are being victimized.

Dana Hudes
Graphnet

Ehud Gavron wrote:

Date: Fri, 01 Aug 1997 14:32:34 -0700 (PDT)
From: Geoff White <geoffw@precipice.v-site.net>
Subject: Re: An end to spam through Graphnet
To: Dana Hudes <dhudes@graphnet.com>
Cc: nanog@merit.edu

> Hi folks,
> Some time back before the latest round of cable cuts and BIND
> arguments
> you may recall that I notified everyone that Graphnet was being
> abused to
> transit spam. An ugly mess -- between the bounces and the flood
> of 'remove' from

yeah,
  I got hit the other day.

> We have put an end to this madness on our systems by building and
> configuring the very latest Sendmail v8 and BIND 4.9.6 (attempts
> to use v8 failed for being too Berkley,
> on a Solaris 2.x system -- but don't start arguing that here
> please) in combination with
> filters on our gateway router. Load has dropped way down on our
> sparc20, and hopefully the spammers will go play with someone
> else instead of futilely occupying bandwidth on our circuits .
>
> Let this be an object lesson to those of you out there who have
> yet to upgrade:
> the spammers will find you sooner or later. They walk down every
> A record in every zone until they find a victim. They look in
> public databases like RIPE to see what mailboxes are registered
> for the zone and they use those names to try to get past your
> sendmail filters and launch spam in your name (doesn't work on
> us, I thought of that trick).
> So go forth to www.isc.org and www.sendmail.org and compile.

Can anyone elaborate a little more on the "one true" set of procedures
that one should take to prevent spammers from abusing ones resources.

The current problem that I have is valid customers who are "on the road"
and want to sendmail through my SMTP server when they dial into
att or netcom, before their eudora's used to point their SMTP server
at me, that ain't happenin' after my spam attach so is there some work
around that they can use?

Just get your customers to use an Email client that knows how to use MX
records and does not need a "forwarder"! Frontier Technologies sells the
Super TCP/NFS suite with an Email client that works just fine. It even
has internal IDs and Passwords so that more than one person (or you if
you have to look like more than one person) can use the same machine.
   www.frontiertech.com

Dave Nordlund d-nordlund@ukans.edu
University of Kansas 913/864-0450
Computing Services FAX 913/864-0485
Lawrence, KS 66045 KANREN

^^^^^^^^^^^
Why do uu.net dialup ports need to talk directly to your mail servers?
Few dialup users use software that handles SMTP delivery...they generally
do the equivalent of smart host everything off to the provider's SMTP
server, and let it handle sending the message to the actual destination.
I know there are smart mail clients that do handle it themselves...but
they can typically fall-back to the smart host.

I've had the following (plus a few other blocks...cyberpromo, quantcom)
! ms.uu.net dialups bite me
access-list 102 deny tcp 153.34.0.0 0.3.255.255 0.0.0.0 255.255.255.255 eq 25

This was from before I got heavy into check_* rules, so I can probably
remove it now, and ban them in other ways.

[ On Mon, August 4, 1997 at 12:43:29 (-0400), Dana Hudes wrote: ]

Subject: Re: Summary of ANTI-spam techniques now available

(And this from huge players who should have implemented filter
rules to prevent their users from doing ip spoofing and from
using mail servers other than UUNET and other authorized
servers).

Ah! The opening line I was looking for!

As some of you may know I'm both an avid anti-abuse campaigner and the
principal maintainer of smail-3 to which I'm adding various capabilities
to assist in the fight against spam.

One of the obvious things to do, of course, is for the mailer to protect
itself against illegal third-party relay abuse.

Unfortunately a number of the "huge players" are for some reason failing
to implement such anti-relay protection. This is likely due to the fact
that many of them have painted themselves into a corner too often
visited by big operations -- i.e. they cannot quickly and safely evolve
their operating software base.

The other issue mentioned by Dana is the fact that everyone (esp. the
"huge players"!) should have already implemented anti-spoofing IP
filters and should also be preventing dial-up customers from connecting
to anything but the providers authorised mail gateways on port 25.
(I still don't know why routers don't default to minimum anti-spoofing
and private net filtering rules!)

In every spam report I send to providers who have been either subjected
to relay abuse, or who have been the source of connections from their
dial-up customers to the abused relay host, I try to suggest these
measures as a means not only to reduce the abuse that is possible
without them, but also as a means of reducing the load on their
postmasters and customer support departments.

From private face-to-face discussions I've had with several "huge

players" I've discovered that the failure to enforce use of authorised
mail gateways is also sometimes due to the "painted into the corner"
syndrome where the networks and systems supporting dial-up operations
and mail gateways have grown "organically" without consideration and
planning for enforcement of AUPs and other such logical things. Others
are concerned with the CPU cycles necessary to implement such filters.

I'd like to open a discussion of these issues in this group from an
operations point of view (i.e. not the politics, but rather the issues
involved with implementation and maintenance).

Please though if you want to discuss the politics of these issues (eg.
are such filters legal, "right", bad, etc.) do it only in private
e-mail.

I think we may all agree that such filters and restrictions are probably
effective ways to enforce AUPs and reduce abuse, but can we implement
them in our networks without other adverse affects and without swamping
ourselves with maintenance nightmares. I.e. all I want to know about
are concerns, issues, etc. related to how these forms of filters and
restrictions can be implemented in already existing networks and systems
that may not have been designed with them in mind (and may not have been
designed from scratch for their current purpose in the first place! ;-).

I don't know about the "huge players", but we're an Internet Service
Provider, not an Internet Blockage Provider. We don't allow spoofing,
and we don't allow relaying, but we're not about to put filters
to prevent dialup customers from connecting wherever they want.