Despamming wholesale dialup

Scott_Gifford2 · October 29, 1998, 10:33pm

To address this i have proposed installing filters that will only allow

these

folks to connect to
port 25 of the ISP that has bought the ports. This way they are not able

to

relay off of anyone elses machine

The problem is for companies like ours that live by selling mail acounts to
users of other ISPs. They need POP and SMTP access to our mail servers,

from

whereever they are calling. We are running sendmail v8.9.1 with all the
anti-relay stuff and RBL besides. The problem you have is the same one we

have

for secured SMTP, maybe easier. How do you tell the site is secure? In this
case testing for open relays is well known.

What I really suggest, and this takes some work on your part, is to contact
the
site's admin and inform them of their open-relay status. If they won't

close

the relay, block them. Alternatively, you can assume that if they haven't
gotten their relays closed by now they are too clue-less to do so and block
them immediately, with notification.

The problem is when the spam-bastard isn't relaying. We've been getting
thousands of messages every week from spammers who buy dialup from various
places, then connect directly to the destination mail server to deliver the
mail. That's what this prevents. I don't know of any other method that
does.

An interesting answer to the problem you discussed above was suggested by
somebody from the EFF at a spam BOF at USENIX this summer. He suggested
that by default, you filter on port 25. But if somebody needs access for
legitimate reasons, or even if they don't, have a letter they can fill out,
sign, and send in which states that they will not send spam, subject to a
$500/message penalty. Then if they do, just bill them.

An alternative for you would be to run a mail server on a different
port...

-------Scott.

Bryan_Bradsby · October 30, 1998, 3:55am

First Harold outlined this plan for AGIS modems rented to ISPs:

    To address this i have proposed installing filters that will only
    allow these folks to connect to port 25 of the ISP that has
    bought the ports. This way they are not able to relay off of anyone
    elses machine

Then Roeland recommended:

What I really suggest, and this takes some work on your part, is to
contact the site's admin and inform them of their open-relay status.

We do this now. When a site is blocked by our subscription to ORBS, i send
them a nice friendly note, admin to admin. How many? A couple hundred a
month. Some fix it promptly. Some send me a nice thank you note. Most
don't (do either one).

And more:

    If they won't close the relay, block them. Alternatively, you can
    assume that if they haven't gotten their relays closed by now they are
    too clue-less to do so and block them immediately, with notification.

Sometimes we get complaints from the ORBS blocked ISP's customer (via my
customers). Got two recently from customers of some Dallas and Houston
based ISPs. We notified these ISPs 1 and 2 months ago respectively. Clue
deficient, or priorities skewed? If they would just call me and tell me
when they will fix it, we could make arrangements.

Then Scott reiterated:

    The problem is when the spam-bastard isn't relaying. We've been
   getting thousands of messages every week from spammers who buy
   dialup from various places, then connect directly to the
   destination mail server to deliver the mail. That's what this
   prevents. I don't know of any other method that does.

If all the ISPs won't do what Harold has proposed, then we have no choice
in our own self defense, but to block port 25 from all the modems by IP
(and open up corresponding holes for responsible SMTP servers in the same
netblock).

But my question is - Would responsible netops be willing to give me a list
of their (non-relaying) SMTP servers?

Anything toward fixing the problem is appreciated.

-bryan
abuse@capnet.state.tx.us T:512.936.2248 F:512.463.3456

J.D_Falk2 · October 30, 1998, 4:37pm

Quick note about ORBS: there are people ORBS blocks (such as GOL
in Japan) which do not have any open relays, and never did. It's
purely a personal grudge held by the ORBS operator.

Don't rely on ORBS.

Aaron_Hopkins2 · October 31, 1998, 12:39am

Quick note about ORBS: there are people ORBS blocks (such as GOL in Japan)
which do not have any open relays, and never did. It's purely a personal
grudge held by the ORBS operator.

Having bought into the "only open relays" and "only automated testing"
claims of ORBS, I was doubtful here. I was a bit shocked to find all of
203.216.0.0/16 in the zonefile for ORBS and asked the ORBS maintainer about
it.

He replied:

  The administrator 203.216.0.0/16 specifically requested ... actually
  ... demanded that his address space be added to ORBS and that I
  forever desist from testing his addresses or notifying him of
  open relays.

  I had about 70 open relays listed in that range at that time.
  Since he requested that the entire space be added to ORBS,
  I complied.

  This is the only address space in ORBS that comprises more than
  one address and which each address has not specifically been tested
  to be open relays.

He attached copies of mail from abuse@gol.ad.jp which more or less request
exactly that. Copies are available upon request.

I also looked through the zonefile a bit more and found no other wildcards.

Apologies to those of you trying to drop the spam thread.

                              Aaron Hopkins
                              Chief Technology Officer
                              Cyberverse, Inc.