anybody else been spammed by "no-ip.com" yet?

Date: Fri, 3 May 2002 15:27:08 -0700 (PDT)
From: Scott Granados <scott@graphidelix.net>

I realize this statement I'm about to make is going to open a huge...
can o worms but ... and hoefully everyone knows I mean this in the most
friendly responsible way ever but I'm not sure entirely what the big
deal with spam is. Honestly sure I get it like everyone else, in some

[...snip...]

money. Today with flat rate access and many people not paying on a per
packet basis it seems to me that the responsibility lies with the end
user to filter properly and or dress that delete key. I always shut

[...snip...]

The problem with this is that, yes, to the END USER, there is no direct
cost involved.

However, in order to maintain the same level of service, the ISP is
forced to go get a bigger pipe and/or bigger, faster routers and/or
servers. (Raises prices a bit per account)

The transit provider raises the costs to the ISP because the packet
count has gone way up.

The backbone provider has equipment running a bit hotter because of the
increased packet count. This may cause them to either increase the
bill to the transit provider and/or procure bigger and better equipment
(to handle the load) before their planned replacement time...

The peers to this ISP are forced to get either bigger pipes and/or more
costly equipment (routers) in order to handle the increased packet
count they might be seeing.

In all of this, the bozo (well..., 'user' really) originating the email
(well, spam) has not paid a thing other than a temporary interruption
in service for one of his throw-away accounts and is still paying a
'flat rate' for the POP (dial-in) service that HIS isp is providing.

For snail mail junk mail (aka spam), the mailer bears ALL of the costs
and, if there is insufficient returns on their junk mail, is forced to
stop. A 'spammer' does not see these costs and thus has no incentive
to find another model to do business.

We get, for our 7K users, upwards of 25,000+ unwanted messages per day
that make it past our not so rigid filters.

My $0.02 worth. Use the delete key...

Regards,
Gregory Hicks

>
>
>
> > > I hate to sound like the big idiot here, but what exactly in the email
> > > you received indicates no-ip.com spammed? It looks to me like you just
> > > have some secret "admirer" who thought you wanted a no-ip.com account,
> > > and no-ip.com emailed you to confirm that you do want the account.
> >
> > spam is like pollution in that (a) whenever you're not sure if you're
> > doing it, you probably are, and (b) if everybody did whatever it is,
> > life would be universally worse for, well, everybody.
> >
> > > Random disclaimer: Yes, we're a competitor of no-ip.com's... And yes, we
> > > used to send similar emails to people signing up for an account,
> > > although nowadays instead of sending them an initial password we send a
> > > confirm URL instead.
> >
> > that's the right approach. no-ip's problem was they presumed my

permission.

I'm curious on this "extra traffic" data, since I'm somewhat involved with
antispam website, it'd be interesting to get the statistics and post it to
explain others how bad spam is for internet not only in annoyance but in
actual extra costs and wasted traffic.

Do you have data on approximate amount of this extra mail bandwidth due to
spam per user? Actually lets be more exact, can some of you with 10,000
real user mail accounts reply how much traffic your mail server is using
and if you have spam filter, how much (in percentage) of mail were filters.
And how big were the filterd spam in comparison to all other regular mails?
And if possible how much in amount of disk space was it in comparison to
all other emails?

Since sendmail applies our dnsbl rules before accepting the message, I
can't say how much bandwidth the blocked spam would have used. On a MX
that handles mail for several tens of thousands of actual user accounts,
it's not unusual for us to deliver ~400k messages and reject anywhere from
200k-500k messages. A few weeks ago we had a several day period during
which we rejected > 1,000,000 messages/day.

The rejected numbers can be somewhat inflated though by the 'alphabet
spammers'. I'm not sure what else to call them...but these are the people
who try to send mail to every conceivable address @yourdomain. If you run
a large mail server, you've probably seen them hit you. When they dump
their random address spam on an open relay, that relay gets blacklisted
pretty quickly, resulting in large numbers of dnsbl rejected messages that
would have eventually bounced as 'no such user' bounces, and likely double
bounced.

Worse, IMO, than the bandwidth issue (mail from/rcpt to/571 doesn't use
that much bandwidth), is the mail server load issue. A couple of open
relays pounding on our mail servers trying to deliver a truckload of spam
someone dumped on them will drive up the load in no time. I'm seriously
considering adapting some existing code to watch syslog data and use
kernel packet filtering to cut off connectivity for say 24h from IP's
after N dnsbl caused rejections in Y minutes. This should reduce load
considerably. While typing this I was just watching the log on one mail
server and noticed several rejections/sec from mail.ignacio.k12.co.us.
That system is an open relay (listed in several blacklists) and has been
trying to deliver mail to atlantic.net since last wednesday. We've
rejected from them the following numbers of messages:

Wed: 82102
Thur: 286861
Fri: 215779
Sat (so far): 62128

At the moment I'm actually interested in statistics on size of spam
messages as compared to average size of mail message to try to caclulate
amount of mail bandwdith they really waste...

My own calculations show around 27% spam email and I'v seen statistics
from 20-30% from others (someone else also wrote me 1/3 of the email,
this is a little inflated but shows generaly what is). But I'm interested
in actual numbers on per size of email statistics if possible.

I've been roasted privately and called naive in thinking that pay-per-mail
is a valid solution.

Let me first say that the $0.02 I pulled "out of the air" was derived
simply by taking the $80/hr I bill to clients and dividing that by 3600
(number of seconds in an hour) thus $0.022. I'd say that about 1 second
per email is probably real in relation to my time.

Let me explain why I've come up the pay per message as an answer. I
realize that this has got issues with it - such as abuses of the
micropayment system, etc. etc. etc.

Anyone who thinks that government can pass a law and this will go away is
hopelessly naieve. The spammers will go overseas. Besides, if you look
at the content of a lot of the spams I receive I doubt the senders care
much about the law. The junk fax law, in my opinion, worked primarily
because sending faxes from locations outside the us jurisdiction cost more
and there were few things you could provide from overseas which were
marketable via fax.

Anyone who thinks we're going to be able to educate people and make them
all close their open relays is going to make the problem go away is
hopelessly naieve. There are just too many admins out there, most of
which are of the "I think running my own mail server is a good idea, but I
really don't have much of a clue about how the mail server REALLY works"
variety. It's not possible.

That leaves technological measures.

Spam filters are a good idea, but spam is a very moving target. I run
spamassassin (highly recommended) on a couple of mail servers. When I
first install a newly-released version of spamassassin it is nearly
perfect. Over a couple of months it gets less and less effective, at
which point I install the newest version, which improves effectiveness
again. Occam's razor is good, but in reality only catches spam if it has
been reported to the razor. rbldns lists are effective only against the
worst offenders, as the rest don't get reported until it is too late.
and so on.

I think the only other methods I can think of are best described as some
sort of "web of trust" type method. These are essentially whitelist
systems. In order to send me mail you have to *do* something.

The first option is a traditional "If you send me email and I don't know
you, I'll bounce the message and you have to reply with a specially
formatted mail message in order to get your mail through". The main
problem with this model is that in circumstances where bulk mailing is
necessary (such as notifications of credit card payment due, etc.), you
run into a problem. The other thing is that eventually, spammers will
learn how to respond to these messages automatically.

The second is more of a secure-smtp model, in that each mail server is
"Certificated" in one way or another and that you only accept mail from
"Certificated" mail servers. One of the conditions of being
"certificated" is verification of anti-spam technological and other
measures (such as being able to identify spammers, etc.). In a small
internet, this is a perfectly workable solution. In a globally sized one,
it seems to me that the likelihood of spammers being able to work around
the system is as close to 100% as you can get.

The pay-per-message system I proposed was an outgrowth of the
"certificated" option. In essence, my theory is that if you paid
*something* for each message you send, than everything should equal out in
the long run. Generally, other than mailing lists and spam, I send about
1 message for every one I receive. A spammer sends tens of thousands of
messages for every one he receives. There are a whole new set of problems
caused by this which I think have mostly been mentioned - to summarize,
they mostly relate to the technical problems with doing this, plus the
possibility of abuse of the system, etc. etc. etc.

Someone pointed me to a discussion of camram at
http://harvee.billerica.ma.us/~esj/camram.html. I initially *like*
something like this option. In short, it forces the sender to spend a lot
of CPU cycles for every message they send. Need to send a lot of email,
well, spend a LOT of cpu cycles.

The point I was trying to make with the pay-per-message is that the real
cause of spam is an economic one. That is, the cost of sending the spam
is less than the profit the spammers make from the spam. If we can
increase the cost of sending the spam, then we will lessen the
profitability of sending it, and the problem will diminish substantially.
Remember almost 100% of the spam is driven by greed, and if we can't
satisfy the greed of the spammers, they will go elsewhere.

- Forrest W. Christian (forrestc@imach.com) AC7DE

"Forrest W. Christian" wrote:

Anyone who thinks that government can pass a law and this will go away
is hopelessly naieve.

Uh, thanks. The government has all kinds of property protection laws. My
mail spool is my property. Do the math.

The spammers will go overseas.

Are they marketing products and goods sold domestically? Who cares where
the spam came from if the numbskull is domestic?

The first option is a traditional "If you send me email and I don't
know you, I'll bounce the message and you have to reply with a
specially formatted mail message in order to get your mail through".

Whitelists are just another form of "no trespassing" property protection.

The pay-per-message system I proposed was an outgrowth of the
"certificated" option.

First, nobody wants to pay $.02 to email grandma. They will pick up the
phone instead. Second, nobody will send any emails that they don't have
to, period. This will just drive Internet users away because of the cost
rather than being driven away because of spam.

Laws are a necessary first step and will have the most positive effect.
Micropayments won't be needed if the right laws are passed. Given the
history, the biggest problem with the legal approach is that congress will
pass a bad law instead of the one they need to, which is to extend the
TCPA to include spam.

Been there, done that, and it made no significant difference. Both J.D.
Falk and I put a lot of work into getting tough anti-spam legislation
passed, and we were successful. Here in California we now have jail time
for second-offense spammers. Does it make a damned bit of difference? No.
Was it worth trying? Yes, of course.

The conclusion I came to at the time was that the bond-posting
micropayment schemes were the only way out of the problem, and I haven't
seen anything to change my mind on that since. Whitelists are too
drastic, I think, but I'm slowly headed that way.

                                -Bill

Uh, thanks. The government has all kinds of property protection laws. My
mail spool is my property. Do the math.

Your car is your private property as well, but if you park it in a public
place, with the engine running, and offer every passerby the opportunity to
use it at no cost or obligation, "the government" is not going to help you
get the car back when someone takes you up on your offer.

Laws are a necessary first step and will have the most positive effect.
Micropayments won't be needed if the right laws are passed. Given the
history, the biggest problem with the legal approach is that congress will
pass a bad law instead of the one they need to, which is to extend the
TCPA to include spam.

Yeah, another unenforceable law that nobody will give a shit about, except
when it's time to pay for the [non-enforcing] "enforcement agents" (tax
time).

I'm talking strictly end-user to end-user payments here.

The people in the middle would get *nothing* beyond what they are getting
today.

Grandma would get 2c for each mail she received. Grandma would pay 2c for
each email she sent. Where does that cause the problems you are talking
about?

- Forrest W. Christian (forrestc@imach.com) AC7DE

"Forrest W. Christian" wrote:

Grandma would get 2c for each mail she received. Grandma would pay 2c
for each email she sent. Where does that cause the problems you are
talking about?

I send a lot more mail than grandma does.

I want to clarify this a bit, before I get flamed (not that I'm not going
to anyways).

First, nobody wants to pay $.02 to email grandma. They will pick up the
phone instead. Second, nobody will send any emails that they don't have
to, period. This will just drive Internet users away because of the cost
rather than being driven away because of spam.

sounds a bit like www.vanqish.com . But other than that, how
would it work for mailing lists like this one?

Then the way to do this is to make the cost of sending mass mail more
expensive than sending only a few here and there. In short, we need a way to
prevent the use of the $19.95 throw-away account that is used to send the
vast majority of spam. Let's face it, only the biggest of the hardcore
spammers are willing to pay out for dedicated lines.

How about something along the lines of dial accounts having their outgoing
SMTP connections rate limited to, oh, let's say 100 per day, and limiting the
maximum number of recipients on any given email to some low number, say 5?

A customer reaches the limit, the account auto-rejects all email for 24
hours.

Someone bitches? Let them buy full rate dedicated services, with the first
month, last month, and a security deposit up front before service is
established.

<facetious>

Hey! Where's my reply? I'm in the hole $.04 on this thread now!

Right! No more mail to you until you send me two messages!

</facetious>

Then we all move to some other medium that doesn't cost money -- and then
the spammers follow us there too.

"Eric A. Hall" wrote:

My solution to this would be for people to be able to select certain
senders as not being charged.

- Forrest W. Christian (forrestc@imach.com) AC7DE

The problem with this is how do you enforce this across thousands of mail
servers, controlled by many many different organizations?

I'm not saying the pay-per-message option is perfect. In fact, the more
I think about a camram-type solution the more I like it: where the sender
proves to the recipient that they spent a fair bit of CPU time before
sending the message.

The bottom line is that in my opinion people need to give up *something*
for the privlege of sending mail. I suggested a couple of cents per
message. Others reject this as "it will destroy the net". Camram
requires people to give up CPU cycles. This might be an easier thing to
swallow.

Passing laws and putting on filters don't work. Depending on each mail
server admin to do the right thing doesn't work. We need to find
something else that will.

- Forrest W. Christian (forrestc@imach.com) AC7DE
---------------------------------------------------------------------- The
Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/ Helena, MT
59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648

Yes, but even if you send one a day and she never responds, this only
comes out to $7.30/year.

Hey, I'm not saying this is perfect. I'm just saying that passing laws
and filtering and depending on admins to do the "right thing" just doesn't
work. Ask people in those states which have anti-spam laws how many fewer
spam messages they receive than before.

We need something else. It must be enforceable at the receiving side, and
we must be able to step into it gradually. The best solution I've seen,
thanks to someone else on the list, is camram, which makes you pay for the
email sending with proving you have spent about 15 seconds worth of CPU
cycles. In fact, I'm thinking this is probably a better solution than the
pay-per-message solution, as we don't have to worry about settlement, etc.
etc. which was the real problem with the pay-per-message.

- Forrest W. Christian (forrestc@imach.com) AC7DE

sounds a bit like www.vanqish.com . But other than that, how
would it work for mailing lists like this one?

My solution to this would be for people to be able to select certain
senders as not being charged.

... which leads to the same problems every e-postage scheme does:

* It swaps the current set of problems for an all-new and quite
  possibly worse set of problems, as bad guys come up with ways to
  scam the per-message payment system. Just think, get infected with
  e-payment klez via your fast always-on DSL connection, come back the
  next day and find that it's sent 50,000 messages so it's spent
  $1,000 of your money. If you waive fees for virus victims, every
  spammer's going to claim a virus did it. And maybe a virus really
  did do it, it's the obvious way to send spam with someone else's
  stamps.

* It turns every ISP into a bank. ISPs don't have the expertise to be
  banks, nor can they afford the financial exposure. What are you
  going to do when 10 of your users get e-klez, refuse to pay the
  postage that the virus stole, and leave you holding a $10K bag?

* Nobody in the world has the faintest idea how you could implement 2
  cent payments fast and cheap enough to use to pay for e-mail.

If you're serious about e-postage, could you let us know what your
solutions to these problems are? You may have insights that the rest
of us don't, but we'll never know if you don't tell us.

Regards,
John Levine, postmaster@iecc.com, postmaster@gurus.com, postmaster@services.net
(and postmaster of about 100 other domains)

PS: Anti-spam laws aren't going to solve everything, but the TCPA made
a whole lot more difference to the junk fax problem than any set of
phone line filters.

this will work well for those of us who are trying to enable non-1st world
communications.

ever tried to source an 1Ghz processor in central africa?

"Forrest W. Christian" wrote:

Ask people in those states which have anti-spam laws how many fewer
spam messages they receive than before.

Although responding to this message puts me back to -$.04, I will point
out that the junk fax law worked pretty well. It didn't take long for
people to get the point that they shouldn't be faxing lunchroom menus to
everybody in their area code.

The spam laws are geographically constrained and inconsistently
interpreted. A federal law would have significantly greater impact.

The camram stuff is a neat idea but IMO it is even less likely to succeed,
since there isn't anybody with a financial incentive to make sure that it
works and to drive the necessary adoptions. A micropayment option with a
big backer at least has the chance to do things like pay email developers
to add support for it.