open relays at Earthlink

Earthlink has the following open mail relays:

gull.prod.itd.earthlink.net
snipe.prod.itd.earthlink.net
(a couple of other earthlink hosts, I can't remember which now, they were
all in the .prod.itd.earthlink.net subdomain.)

I know this because I have been getting spammed by someone using them for
the past week. I have tried e-mailing abuse@earthlink.net several times and
have received no response.

I'm hoping a clueful Earthlink admin will see this post and take the
appropriate action. If not, then maybe Earthlink should be "nominated" for
RBL.

--Adam

Earthlink has the following open mail relays:
gull.prod.itd.earthlink.net

  feeding: {13} rly2 gull.prod.itd.earthlink.net
  Connecting to gull.prod.itd.earthlink.net ...
  <<< 220 gull.prod.itd.earthlink.net ESMTP Sendmail 8.8.7/8.8.5; Mon, 17
      Aug 1998 07:58:06 -0700 (PDT)
  >>> HELO feeding.frenzy.com
  <<< 250 gull.prod.itd.earthlink.net Hello feeding.frenzy.com
      [209.198.128.35], pleased to meet you
  >>> MAIL FROM:<sam_merritt@hotmail.com>
  <<< 250 <sam_merritt@hotmail.com>... Sender ok
  >>> RCPT TO:<harter@feeding.frenzy.com>
  <<< 550 <harter@feeding.frenzy.com>... Relaying Denied
  rly2: relay rejected - final response code 550

snipe.prod.itd.earthlink.net

  feeding: {17} rly2 snipe.prod.itd.earthlink.net
  Connecting to snipe.prod.itd.earthlink.net ...
  <<< 220 snipe.prod.itd.earthlink.net ESMTP Sendmail 8.8.7/8.8.5; Mon, 17
      Aug 1998 08:00:04 -0700 (PDT)
  >>> HELO feeding.frenzy.com
  <<< 250 snipe.prod.itd.earthlink.net Hello feeding.frenzy.com
      [209.198.128.35], pleased to meet you
  >>> MAIL FROM:<sam_merritt@hotmail.com>
  <<< 250 <sam_merritt@hotmail.com>... Sender ok
  >>> RCPT TO:<harter@feeding.frenzy.com>
  <<< 550 <harter@feeding.frenzy.com>... Relaying Denied
  rly2: relay rejected - final response code 550

I know this because I have been getting spammed by someone using them for
the past week. I have tried e-mailing abuse@earthlink.net several times and
have received no response.

I'm hoping a clueful Earthlink admin will see this post and take the
appropriate action. If not, then maybe Earthlink should be "nominated" for
RBL.

They must have fixed it (or you didn't test it). Lets not be too hasty.

Sam

Hello-

While suggestions for denying relaying are appreciated, a majority of
EarthLink members access our mail servers via POPs on the UUnet and PSI
networks. Closing our servers to those networks is not possible (though
they are effectively closed to relaying for all other traffic).

Our Network Abuse department works closely with UUnet and PSI to identify
and take action on spammers that access our servers via their POPs.

Please continue to report any incidents to abuse@earthlink.net for handling
on a case-by-case basis.

While a personal response to mail sent to abuse@earthlink.net is not always
possible, if you continue to utilize our established abuse resolution
channels by forwarding the message, with full headers intact, to
abuse@earthlink.net, we will continue to either take immediate action on
any EarthLink accounts identified, or forward complaints along to the
appropriate network(s) until action is taken on the accounts responsible.

Please let me know if I can be of further assistance.

How about using POP before SMTP (works with any POP3 client), Authenticated
SMTP (supported in Outlook 98 client) and XTND XMIT (supported in Eudora
Pro 4.x) or just support all of the above? Then you would be able to close
those mailservers to any relaying whatsoever.

We support all of those mail-sending methods and because of that we have
not relayed one single message for a non-customer in the life of our
service.

Regards,

Is there a list of the dial up pools for the big providers anywhere? I
would like to lock them out from delivering SPAM directly to us

We support all of those mail-sending methods and because of that we have
not relayed one single message for a non-customer in the life of our
service.

Maybe in part because your customers are remarkably endowed with clueons.
In my abundant experience supporting configuration changes on the part of
dial-up users (like Mindspring's), I have found that your average dial-up
user is about as capable of reconfiguring and upgrading software as you or
I am of building a nuclear reactor with a pencil, some sand, and a stick of
bubble gum.

Imposing security measures or performance enhancement tricks after initial
implementation is a huge imposition on any company's technical support
staff, and frequently serves more as a customer irritant than anything
else. I remember having to assist flash.net customers with reconfigurating
their POP3 and SMTP clients when that provider went to a round-robin
load-balancing mail server system. It was ... painful.

ag

On Fri, Aug 21, 1998 at 01:42:47PM -0500, Aaron Goldblatt put this into my mailbox:

Imposing security measures or performance enhancement tricks after initial
implementation is a huge imposition on any company's technical support
staff, and frequently serves more as a customer irritant than anything
else. I remember having to assist flash.net customers with reconfigurating
their POP3 and SMTP clients when that provider went to a round-robin
load-balancing mail server system. It was ... painful.

"Well this is how we've always done it" isn't an excuse for sticking
with a boneheaded configuration. Yes, changing configurations is painful.
Yes, customers will bitch and whine and wail "But I'm not a computer person!"
Yes, support staff will have to walk customers through reconfiguring their
Endora and explaining why they need this STMP thing anyway. I've been doing
it all summer at work.

One extremely simple fix that the UUnet folks appear not to have stumbled
upon is to firewall outgoing connections on port 25 to any hosts other
than a specific list of earthlink, MSN, &etc mail hosts. This would only
require reconfiguration on the part of the particularly obstinate customers
who didn't follow the directions properly in the first place, and would
for the most part kill off the relay hijacking that goes on from those
networks.

Last - all these companies don't seem to understand that implementing these
fixes and dealing with the complaints in the short run will let them cut
down their abuse staff in the long run, because they won't have 500,000
e-mails to deal with every day. It's cheaper to fix it right, folks.

But this is getting to be off-topic, so I'll stop here. I'd suggest
taking it to inet-access or somesuch, but I'm not on those lists and
don't know what's appropriate for them.

-dalvenjah

I have UUNet's somewhere, and I think they are probably about the worst

ISPs sell customers a TCP/IP connection to the Internet. To me that means
taking my IP datagrams and delivering them to where I address them. I
don't see that filtering of outbound traffic is part of such a product,
any more than hijacking my connects to port 80 somewhere and plumbing me
into a "transparent" web cache is.

Why shouldn't dialup users run MTAs that do "proper" delivery?

On the other hand, I would fully support anyone's right to filter
connections from my dialin user pool addresses if they felt that they
needed to do that. I would, in my personal opinion, be happy to provide
such a person with my IP pool address ranges, or info on the domain names
we use for that (which are easy to deduce, anyway?).

(Of course, I'd rather persuade this person than my organization deals
responsibly with spammers - but no doubt I'd be unable to persuade some)

If enough people refused to take mail from my pool addresses then I guess
my customers will be duly "encouraged" to use the provided relays. (Most
do anyway, of course) If only a few refuse to take the mail then most
deliveries still work fine directly; and those few feel happy that they
are "protected".

Doesn't this arrangement make sense?

Regards,
Steve Davies
Operations, UUNET UK
(Who is in the UUNET group but does not influence policy for UUNET US)

else. I remember having to assist flash.net customers with reconfigurating
their POP3 and SMTP clients when that provider went to a round-robin
load-balancing mail server system. It was ... painful.

"Well this is how we've always done it" isn't an excuse for sticking
with a boneheaded configuration. Yes, changing configurations is painful.
Yes, customers will bitch and whine and wail "But I'm not a computer person!"
Yes, support staff will have to walk customers through reconfiguring their
Endora and explaining why they need this STMP thing anyway. I've been doing
it all summer at work.

Of course it's a boneheaded way to run an Internet business, if you plan to
be a decent Netizen. But consider: Companies like flash.net,
earthlink.net, mindspring.com, uu.net, etc., all exist for a single
purpose: to make money. It is -costly- to fix broken configurations that
have a direct impact on customers. You have to pay the support personnel
to wade through the email and handle the calls. You may have to pay for
the calls if you're dumb enough to have an 800 number for support. You may
additionally have to pay the 800 bill for your customers calling your sales
department 'cause they can't get through to the support department because
the lines are so clogged. And you may lose customers, which costs money.

Or you can continue to allow people to spam, which doesn't cost anything in
any quantifiable manner, and annoys your support staff a whole lot less.

Mind you, I'm all for doing the responsible thing. But I understand the
bottom line concerns that sometimes prevent it.

ag

I agree with you about their reasoning behind not solving the problem.
Consider though how upset tech support will be when they start receiving
calls...

"What's this 'RBL' thing I keep hearing about whenever I try to send mail
anywhere?"

If a company like Earthlink sees the two options - paying tech support to
fix mail software or paying tech support to answer RBL questions, and
willfully chooses RBL questions, then they are getting what they deserve,
because either way, they're going to get calls on the topic that need
answers. And from a corporate perspective, they should be approaching it
from the "You need to fix your e-mail like this because Earthlink is trying
to be a responsible member of the Internet", as opposed to "You got that
message because your ISP (us) has been blacklisted by the net for being a
spamhaven."

My $0.02 worth, everyone's mileage will, I am certain, vary.

D

...in the short term.

  But in the long term, people stop accepting mail from you,
  which costs even more. Talk to AGIS or ACSI (now eSpire) for
  first-hand accounts of how bad it can get when you piss off
  (or allow your customers to piss off) millions of people.

Of course it's a boneheaded way to run an Internet business, if you plan to
be a decent Netizen. But consider: Companies like flash.net,
earthlink.net, mindspring.com, uu.net, etc., all exist for a single
purpose: to make money. It is -costly- to fix broken configurations that
have a direct impact on customers.

I think we do an extremely good job of making sure our configurations are
not broken in any way that would make us a bad Netizen. If you believe
otherwise and have already tried going through normal channels
(abuse@mindspring.net or hostmaster@mindspring.net for example) and
haven't gotten satisfactory resolution, please don't hesitate to let me
know. We really do take our Core Values and Beliefs
(http://www.mindspring.com/aboutms/core.html) seriously, and they don't
just apply to direct customers.

You have to pay the support personnel to wade through the email and
handle the calls. You may have to pay for he calls if you're dumb
enough to have an 800 number for support.

There's no surviving in this business without it. The customers demand
it. It's just a cost of doing business.

Or you can continue to allow people to spam, which doesn't cost anything in
any quantifiable manner, and annoys your support staff a whole lot less.

And makes you look really bad to your peers, who, in this line of business
are also your customers and suppliers.

Brandon Ross Network Engineering 404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com
                                                            ICQ: 2269442

Stop Smurf attacks! Configure your router interfaces to block directed
broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.

Thus spake Aaron Goldblatt <aglists@trantortech.com> on Mon, Aug 24, 1998:

Of course it's a boneheaded way to run an Internet business, if you plan to
be a decent Netizen. But consider: Companies like flash.net,
earthlink.net, mindspring.com, uu.net, etc., all exist for a single
purpose: to make money.

Once again, capitalists bashing capitalism. Some day people will learn you
don't have to screw people to make money.

It is -costly- to fix broken configurations that
have a direct impact on customers. You have to pay the support personnel
to wade through the email and handle the calls. You may have to pay for
the calls if you're dumb enough to have an 800 number for support.

This perplexes me. MindSpring is currently the only dialup ISP to be turning
a profit, and we couldn't have done it without an 800 number for support plus
a support staff that's sharp enough to fix customer config problems quickly.
Yes, we pay a lot in 800 bills, but we also get a return on that investment.
Our support department actually generates income for us because they treat the
customer well enough to send us referrals. If you treat your customers better
than the other guys to the point that the customers notice, you *can* make
money.

You may
additionally have to pay the 800 bill for your customers calling your sales
department 'cause they can't get through to the support department because
the lines are so clogged. And you may lose customers, which costs money.

Certainly does, so we hire people who can fix the problems fast enough not
to clog the lines. Not to mention the PBX voice prompts which keep lots of
support issues out of the sales lines and vice versa.

Or you can continue to allow people to spam, which doesn't cost anything in
any quantifiable manner, and annoys your support staff a whole lot less.

We have very stringent anti-spam policies. It is in our interest to get rid of
customers who abuse our network, and we do. We've also laid out lots of capital
to block incoming spam, so we are familiar with the costs.

Mind you, I'm all for doing the responsible thing. But I understand the
bottom line concerns that sometimes prevent it.

Again, it's in the bottom line interest to do the responsible thing.

ISPs sell customers a TCP/IP connection to the Internet.

Not necessarily. A number of ISPs on this side of the pond are starting to
make a booming business out of selling "filtered internet"; essentially
server-side filtering of web content.

ISPs sell customers whatever it is they choose to sell them. The customer,
as well, has the option of shopping around for the service they're looking
for. If you, as a customer, are violently opposed to your ISP filtering
you, then you have the choices of switching to an ISP that serves your
needs, or getting other customers to try and convince your ISP to change
policy.

Why shouldn't dialup users run MTAs that do "proper" delivery?

Nothing wrong with it at all (my home system, at the end of a dialup link,
does so). Of course, with an ISP that filters outbound port 25 traffic,
you'll want to smarthost everything to the ISP's mail server. Not much
different, in the grand scheme of things.

On the other hand, I would fully support anyone's right to filter
connections from my dialin user pool addresses if they felt that they
needed to do that.

You've just transferred the burden of dealing with your dialup pool to
other administrators, instead of dealing with the problem locally. Yes,
you may respond quickly to abuse problems, but the fact is that abuse
problems will still occur.

Doesn't this arrangement make sense?

Absolutely. So does filtering traffic and spam filtering at your central
mail spool to ensure that the problem never happens in the first place.

ISPs sell customers a TCP/IP connection to the Internet. To me that means
taking my IP datagrams and delivering them to where I address them. I

UUNET sells connections to users that allows them to deliver packets? Only
problem is so many places block more and more UUNET traffic every day.
Eventually UUNET will have to do something about it's inability to transit
anything except the backbones and it's a pretty lonely world out there on
your own.

UUNET is not the only offender. Although I must compliment NETCOM.NET for
their speedy and responsive fix to a SPAMER last week. I was actually
SURPRISED to get a response - personalised. But it arrived and that's a
credit to NETCOM.

On the other hand, I would fully support anyone's right to filter
connections from my dialin user pool addresses if they felt that they
needed to do that. I would, in my personal opinion, be happy to provide
such a person with my IP pool address ranges, or info on the domain names
we use for that (which are easy to deduce, anyway?).

Please send me the list of Domain Names and IP addresses. You might have
to do it via this list as we got fed up with sending requests to UUNET to
sort out the SPAMING problems and just deny UU.NET totally.

(Of course, I'd rather persuade this person than my organization deals
responsibly with spammers - but no doubt I'd be unable to persuade some)

Please try. I've got 20 odd forwards of SPAMS from the last two months that
have had ZERO response and over 2 months from the first message, they kept
coming.

I guess there is a limit to patience and "seven day grace periods."

If enough people refused to take mail from my pool addresses then I guess
my customers will be duly "encouraged" to use the provided relays. (Most

One hopes, but it's not the legitimate customers that are the problem and
in some countries the ISPs have to foot the bill for YOUR clients sending
JUNK to them anyway. It wodu lbe far cheaper for everyone to not have
those little streches of SMTP spaning the world trying to make a delivery
only to be rejected and instead rejected them where it doesn't cost money.

do anyway, of course) If only a few refuse to take the mail then most
deliveries still work fine directly; and those few feel happy that they
are "protected".

I'm not happy. I've now got a list of SPAM relay sites that grows far to
rapidly. Eventually no one will be able to send email to our networks or
those of our associates.

So much for "Inteenet"

Doesn't this arrangement make sense?

No.

Are you saying it's fine for your network users to send traffic over other
peoples links to be rejected? When you know full well it will be rejected?

ISPs sell customers a TCP/IP connection to the Internet. To me that means
taking my IP datagrams and delivering them to where I address them. I
don't see that filtering of outbound traffic is part of such a product,
any more than hijacking my connects to port 80 somewhere and plumbing me
into a "transparent" web cache is.

Why shouldn't dialup users run MTAs that do "proper" delivery?

There is a company called TCPS that sends millions of spam messages in
direct violation of UUNet's own AUP.

They make exclusive use of resellers who lease UUNET dialups.

According to UUNet abuse czar John Bradshaw, no fewer than 82 -- *82* --
TCPS-held dialup accounts had been nuked by resellers; this number was
given sometime in early August, I think. They keep on getting new accounts
with other companies.

Now, do you want to ask me that question again... Thought not.

Not that I care, I'm putting filters into place on my mail server that block
mail from UUNet dialups and relays anyhow. But the answer to your question
is, "It would save them a lot of trouble and money as there would be far
fewer AUP violations to have to deal with."

Besides, what are you defining as "proper delivery"?

On the other hand, I would fully support anyone's right to filter
connections from my dialin user pool addresses if they felt that they
needed to do that. I would, in my personal opinion, be happy to provide
such a person with my IP pool address ranges, or info on the domain names
we use for that (which are easy to deduce, anyway?).

Why is it my responsibility to filter users who are breaking your rules?
It's UUNet's responsibility to enforce its AUP. It's also UUNet's
responsibility to its shareholders to keep costs down and revenues high, and
I could argue that preventing dialups from being used to send mail will cut
a lot of the costs associated with cleaning up after spammers.

(Of course, I'd rather persuade this person than my organization deals
responsibly with spammers - but no doubt I'd be unable to persuade some)

Steve, don't even get me started on this. I've been spammed by UUNet
SALES REPS.

I think there are people within the company who want to do the right thing,
but I doubt the suits care.

> If enough people refused to take mail from my pool addresses then I guess

my customers will be duly "encouraged" to use the provided relays. (Most
do anyway, of course) If only a few refuse to take the mail then most
deliveries still work fine directly; and those few feel happy that they
are "protected".

Doesn't this arrangement make sense?

Filtering is a good thing. But: UUNet getting up off their butts and finishing
what they started WRT net abuse is better.

UUNet leases dialups to ISP's. Why can't UUNet figure out a way to ensure that
customers of ISP X only use ISP X's mail and news servers?

It's NOT OUR RESPONSIBILITY TO POLICE UUNET. IT'S UUNET'S RESPONSIBILITY TO
POLICE UUNET.

Regards,
Steve Davies
Operations, UUNET UK
(Who is in the UUNET group but does not influence policy for UUNET US)

Understood...

regards
  ...sjs

Wow.. I've got to tell some people that they've been misreading their
numbers for the past couple of years.

ISPs sell customers a TCP/IP connection to the Internet. To me that means
taking my IP datagrams and delivering them to where I address them. I
don't see that filtering of outbound traffic is part of such a product,

Fair enough.

On the other hand, I would fully support anyone's right to filter
connections from my dialin user pool addresses if they felt that they
needed to do that. I would, in my personal opinion, be happy to provide
such a person with my IP pool address ranges, or info on the domain names
we use for that (which are easy to deduce, anyway?).

This is what we do here. Our MTA returns "We dont' accept mail from
dialup ports" to the senders. As long as uunet maps their dialups into
subdomains, it's no problem.

(Of course, I'd rather persuade this person than my organization deals
responsibly with spammers - but no doubt I'd be unable to persuade some)

This is the heart of the problem in the US. The practice of renting
dialup to other providers is not a problem as long as the people who OWN
the equipment do not disclaim responsibility for it's use. What is
happening in the US is that a spammer (typically) will get on some service
which uses UUnet equipment and start spamming on a Friday night. You send
a complaint to UUnet and get a robotic response, but the spammer will
continue on until Monday at least, when UUnet's customer shuts him off.

This is unacceptable. UUnet's US abuse department has claimed that such
spammers are not their customers, so they are not responsible for what
the spammer does while using their equipment, and so UUnet is violating
it's own AUP. This leads to a bad, bad, place. What if the abuser were
a smurfer or a ping-flooder instead of a spammer?

Right now, UUnet in the US is the main source of spam on the internet,
and this is due to UUnet's irresponsible policy. US spammers have found
that it is cost-effective to get an account from an access reseller which
uses UUnet hardware, and spam for up to a week before action is taken
against them. You can send a million spams for the cost of one
entry-level dialup account. They do this repeatedly, as evidenced by a
single spammer using an NYC uunet pop for at least two months now.

This has to be fixed to make spamming more expensive. Shut off the
spammer as soon as complaints come in, and then forward the whole mess --
Spams, complaints, logs -- To the reseller and let them sort it out AFTER
the spammer's access is removed.

Bill <postmaster@iconn.net>

Bill Becker wrote:

Right now, UUnet in the US is the main source of spam on the internet,
and this is due to UUnet's irresponsible policy. US spammers have found
that it is cost-effective to get an account from an access reseller which
uses UUnet hardware, and spam for up to a week before action is taken
against them. You can send a million spams for the cost of one
entry-level dialup account. They do this repeatedly, as evidenced by a
single spammer using an NYC uunet pop for at least two months now.

I don't think this is an indictment of the whole Internet, more how
UUnet gets around to applying their AUP, therefore, ....

This has to be fixed to make spamming more expensive. Shut off the
spammer as soon as complaints come in, and then forward the whole mess --
Spams, complaints, logs -- To the reseller and let them sort it out AFTER
the spammer's access is removed.

.... I think this is a little too draconian for my taste. A little
investigation might be in order, so we satisfy ourselves that the
accused is guilty before we cut them off.

Spammers: Shut 'em off and let God sort 'em out! >;)

-Steve