Attack of the Killer Spam

NANOG folk:

Over the past few weeks, I have noticed an influx of SPAM(tm) transmitted by
UUNet dynamic IP dial-up users (read: MSN, Earthlink, GTE, etc.) and relayed
using Earthlink SMTP relays. Am I turning senile prematurely, or has anyone
else noticed this influx?

Also, how easy would it be for Earthlink and other nationwide "ISP's" (or
more accurately, UU/PSI resellers) to do the following? This would not stop
SPAM(tm) dead in its tracks, but I figure it would make it easier to hold
spammers accountable at least... unless, of course, they use throw-away
accounts, in which case there is not much that can be done...

- institute anti-spam rules on their SMTP relays, i.e. only relay mail
reporting to be from earthlink.net and the virtual domains they host

- only allow SMTP relaying from IP's assigned to *their customers*
dynamically (cross-reference Radius logs?)

Constructive feedback would be greatly appreciated! Together, we CAN make a
difference.

Regards,
Adam

We require all of our cutomers' users to authenticate themselves, i.e.,
their current IP address with us via a POP connection before they're
allowed to use our SMTP servers. Once a successful POP login has been
completed, that "authorization" is good for 30 minutes.

Because we've done this, our service has been 100% free from unauthorized
relaying while at the same time keeping our relays totally open for our
customers' customers no matter where they've connecting. This was
essential for us to implement because we're a mail service provider for
Internet service providers, all of our direct customers are ISPs, and we
have no control over the networks that those ISPs' users come in from.

- only allow SMTP relaying from IP's assigned to *their customers*
dynamically (cross-reference Radius logs?)

I have heard that uunet and PSI don't provide enough information in
real time for their POP farm ISP customers to tell the difference
between their own customers and other random users of the same POP
farms, much less tell which user is on which IP so they can stamp
outgoing mail.

Is that still true?

Speaking of POP farms, the other major one is IBM -- how much
real-time info do they provide?

And since we're on this topic, at NANOG in Scottsdale we suggested
that ISPs firewall in their users so the only port 25 connections they
can make are to the ISP's own SMTP server, so the ISP can stamp
outgoing mail with the actual sender ID and possibly do volume
monitoring and choking. (You could either block connections or other
systems, or warp them to your own servers, and you'd need provision
for exceptions for people who send in a signed AUP, etc.) How far is
that from being feasible for POP farm customers?

I collect some spammer accountibng here; and I saw a lot of spam been
mail-relays. If someone want to get this collected spam messages, I can
do it for him in near future.

PS. Don't kill anyone, but investigate him and poisone him to the
half-live state -:). It's the best idea I know...

But I don't think it's the best place for the such discussions.

Date: Tue, 30 Dec 1997 19:42:07 -0500
From: Adam Rothschild <asr@millburn.net>
To: nanog@merit.edu
Subject: Attack of the Killer Spam

NANOG folk:

Over the past few weeks, I have noticed an influx of SPAM(tm) transmitted by
UUNet dynamic IP dial-up users (read: MSN, Earthlink, GTE, etc.) and relayed
using Earthlink SMTP relays. Am I turning senile prematurely, or has anyone
else noticed this influx?

Also, how easy would it be for Earthlink and other nationwide "ISP's" (or
more accurately, UU/PSI resellers) to do the following? This would not stop
SPAM(tm) dead in its tracks, but I figure it would make it easier to hold
spammers accountable at least... unless, of course, they use throw-away
accounts, in which case there is not much that can be done...

- institute anti-spam rules on their SMTP relays, i.e. only relay mail
reporting to be from earthlink.net and the virtual domains they host

- only allow SMTP relaying from IP's assigned to *their customers*
dynamically (cross-reference Radius logs?)

And what would you get? It's not problem for any spammer to bye 100
dialup accounts around USA, and use (legally) all this UUnet's, MCI's etc
mail relays...