Spam Control Considered Harmful

Phil,
  The problem with the 'Caller-ID' idea is verifying that an email address is 'valid' (assuming you have a reasonable definition for 'valid'). About the only thing that sendmail can do is verify a reverse lookup is equal to its forward lookup. We do this and it helps because we can then block sites from MX'ing through us based on a ruleset (e.g. customer list).
  In an effort to research from where we get spammed, we get a daily report (see below) of the sites that spammed us, who they were trying to spam and from where they came from. The most frequent pattern we are seeing are spams from simple dialup PPP accounts purchased all across the country; AT&T, UUNET, SWBell, BellSouth, etc... I know where they came from and yet knowing that does not help. We cannot block all of UUNET just because some ppp customer used our servers to spam.

  cal

    "I live in a house of brick instead of a tent of canvas because I have little faith in my follow man (and mother nature) being 100% perfect 100% of the time; they are only 99% perfect 99% of the time. The remaining 1%'s are a real pain. So, I tuckpoint my mortor, own a dog and watch my things. This keeps me busy and gives me purpose."

is >'valid' (assuming you have a reasonable definition for 'valid'). About
the only >thing that sendmail can do is verify a reverse lookup is equal to
its forward >lookup.

Exactly. I guess the question is, should we build more sender verification
into sendmail, on both the sending and receiving side?

Phil Lawlor
President
AGIS
Voice - 313-730-1130
Fax - 313-563-6119

Phil Lawlor wrote:

>The problem with the 'Caller-ID' idea is verifying that an email address
is >'valid' (assuming you have a reasonable definition for 'valid'). About
the only >thing that sendmail can do is verify a reverse lookup is equal to
its forward >lookup.

Exactly. I guess the question is, should we build more sender verification
into sendmail, on both the sending and receiving side?

Phil Lawlor
President
AGIS
Voice - 313-730-1130
Fax - 313-563-6119

  It would seem like a nice feature for Sendmail, but do you think it is
realistic to assume that everyone would upgrade? I know of many hosts which
use "outdated" versions of Sendmail. Then you would be faced with the
question of whether to only allow connections from the latest version of
sendmail (with the sender verification), which would limit it's usefulness.

Derek Andree
derek@firstcomm.com

Right. Companies that don't have a need to upgrade, won't go through the
expense. In many areas, caller ID is an optional feature that costs more
to have. I found it very useful earlier this year when someone posted my
home phone number on the Internet. If spam is really a big problem for an
organization, than they will go through the pain to solve it.

Phil Lawlor
President
AGIS
Voice - 313-730-1130
Fax - 313-563-6119

Phil,
  The analog to email in the real world is the US Postal service where we have even far weaker authentication systems in place. To cope with abuses, we passed laws governing the use the the mails when Ben Franklin got a anonymous and most unwelcomed solicitation from Thomas Jefferson.
  I personally see no practical technical means of eliminating the practise of spamming and rather than spending time trying to dream up fancier and smarter sendmail's, we should seek to simply expand the current mail fraud laws to cover electronic mail. Then we can simply sic the FBI on these people armed with terabytes of logs and spam emails and then see what happens when a few are convicted of electonic mail fraud and sent up the river for a rest.

  Cal

    "Yes, my house is made of brick, but the front door is made of glass. I do this because I have faith in the social contract I have with my neighbors that assures me that they won't break it and I won't call the cops (or, when I lived in Texas, use my gun)."

X-Sender: phil@agis.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)

This is _really_ too, too good to pass up...

but I will, anyway.

Chers,
-- jra

And what will the FBI do when spammers leave the US and do their deed from
other countries? Spammers won't be stopped by legislation or
technology...the average internet user can't handle the amount of
technology necessary to keep spam out of their mail. The average sysadmin
isn't much better off. I had to disable my latest anti-spam sendmail rule
today (denying incoming mail from sites with no or incorrect in-addr.arpa
DNS) because a client is trying to do business with a site that has
existed for a year an a half and never setup in-addr.arpa DNS.

Spam can only be stopped by responsible providers not allowing their
clients to abuse the net. Phil's attitude of "We provide internet
connectivity. If you don't like spam, _you_ do something about it." has
nearly destroyed AGIS. Who's going to be next?

BTW...Cal...obtain a linefeed.

Anyone running outdated versions of sendmail has not only not met their
obligations as a sysadmin, but they are also asking to have their networks
owned. Sendmail is updated so often because it has MAJOR security holes
and bugfixes. I guarantee you that if you gave me one of the sites that
is running outdated sendmail, they could be "owned" in a very short time.
There are far too many remote sendmail exploits for older versions to not
upgrade. Checking http://www.geek-girl.com/bugtraq and doing a search on
sendmail will verify this. So, upgrading should be a prioity to anyone
who's running anything less than Sendmail 8.8.8.

Joe Shaw - jshaw@insync.net
NetAdmin - Insync Internet Services

And what will the FBI do when spammers leave the US...

In these cases, we normally turn them into international trade issues.

If we all freely admit that this problem is beyond a technical solution,
what are our alternatives? Even in the best of cases, sometimes we have no
choices. In Agis's case, they recently took action and disconnected a known
spammer site; they were taken to court and ordered to restore service. I
am not sure how well my own Use Policy would hold up were we ever to be
dragged into court.

As the wild west days of the Internet wane and our Clint Eastwood heros,
(e.g. the Honorable Paul Vixie) find themselves marginalized by savvy
customers with court orders, we will find that migrating from gun slinging
to organized law enforcement far cheaper and more effective in the long run.

I am just as willing as the next 'responsible provider' to be responsible.
However, if I cannot also have the authority that comes with it or at least can
turn to someone who does, then we will end up in a free-for-all situation which,
come to think of it, is what is happening now. No One on the Internet
has the authority to turn Anyone off no matter what they do, nearly.

Check my spamming report from last night, I see my top abuser yesterday was
an MCI customer (see trace). Though I have sent lots of complaints to MCI,
never have I ever gotten a human reply with followup. In fact, in my personal
experience, I have never had any of the big backbone providers do much other
than send me an automated reply, except for one; Agis. Perhaps it is because
I am a customer that they listen to me whine, but it does seem than in all of the
public discussions thus far, I have only seen one provider even willing to
engage in a conversation on spamming. And yet who is the preferred whipping
boy, since uunet, bellsouth, mci, et. al. are all bright enough to know when
to duck an issue? hmmm.

  Cal

    Esse, my neighbor, asked, "are you letting people come and
pick from your garden, honey?"
    "No, why do you ask?"
    "Well, the man on the top floor sent over his step daughter
to pick some things and I was just thought you should know."
    Sure enough, my first crop of peaches were gone along with some
other things. I installed a broken video camera on my house over looking the
garden. I have not lost anything since.

wickerpark 212) t netsgo.com
traceroute to netsgo.com (210.115.123.108), 30 hops max, 40 byte packets
1 CHI-Cisco01.ThoughtPort.COM (199.171.236.1) 40 ms 10 ms 10 ms
2 CHI-DET-Cisco01.BB.ThoughtPort.COM (199.171.248.2) 30 ms 10 ms 10 ms
3 a0.1008.chicago4.agis.net (205.137.60.238) 30 ms 20 ms 20 ms
4 a0-0.1.chicago2.agis.net (205.254.173.250) 30 ms 20 ms 30 ms
5 aads.mci.net (198.32.130.12) 70 ms 4 ms 60 ms
6 aads.mci.net (198.32.130.12) 70 ms * 130 ms
7 * core1.Bloomington.mci.net (204.70.4.161) 190 ms 130 ms
8 core2-hssi-2.Sacramento.mci.net (204.70.1.138) 300 ms * 620 ms
9 border7-fddi-0.Sacramento.mci.net (204.70.164.51) 120 ms 110 ms 120 ms
10 yukong-ltd.Sacramento.mci.net (204.70.122.86) 250 ms 260 ms 280 ms
11 abs.netsgo.com (210.115.123.108) 260 ms 260 ms 270 ms

you want the Federal government to step in and regulate the industry...

Am I willing to give up some control to stop what seems to be rampant abuse. If
200 emails a day is not your threshold, what is? 400? 600? We have similar structures
in plaec for the use of the mails, the phones, the highways. What makes the Internet so
special?

If we were to treat the Internet like the real world, we would be charging for each
email sent instead of giving it away. Metering each letter and billing the source
works in the real world.

Sendmail is not Panacea. It is clever. Were that I was bright enough to write
such a tool, even with the aid of creational drugs, but even so, it cannot out smart
man.

  cal

    "Sendmail is the most widely used AI program in the world", Mike O'Dell.

And what will the FBI do when spammers leave the US...

This is really a red herring -- any spam control law, even one of the
bad ones like the Murkowski bill applies to any resident of the U.S.,
even if he hires someone in Moldova to send out his spam. To escape
U.S. law the spammer has to move his entire business offshore. In
practice we're unlike to see much offshore spam because the goal of
spammers is to collect money from suckers, and it's a whole lot harder
to do so if you don't have a domestic mailing address and bank
account.

Also, as others have pointed out, there aren't a lot of other
countries with low cost unmetered Internet connections and, other than
Canada, even those are connected to the U.S. by long, thin, expensive
undersea cables whose proprietors aren't likely to enjoy having them
filled with spam and angry responses.

It would seem like a nice feature for Sendmail, but do you think it is
realistic to assume that everyone would upgrade? I know of many hosts which
use "outdated" versions of Sendmail.

The issue isn't so much everyone upgrading (tho ultimately that is an
issue) but, rather, everyone cooperating.

A spammer or other foul being can return anything they want on a
"caller id" request in the current internet. They can send a msg
supposedly from "bill@whitehouse.gov" and then when asked for
verification say "ayup, it's bill@whitehouse.gov".

The only reason caller-id works in the phone system is because it's
the sole provenance of the highly regulated (and generally
disinterested, as far as lying for you goes) telcos. And truth be told
caller-id doesn't work very well even in the telephone system, except
inasmuch as you're willing to refuse all unidentified calls.

I suppose a scheme like this slows down the hit+run whackamoles who
use throw-away dial-up accounts, but only so long as they can't use
their own MTA (which they usually can if it's just a straight PPP
connection.)

I don't think we can get anywhere so long as one spends time
addressing suggestions from individuals who admit they don't
understand the technology and who clearly have as an agenda to keep
taking monthly fees from spammers (the very few worst excepted.)

The answer is two-fold:

1. Make the implicit theft-of-service specifically illegal and
tortious. In particular, not identifying the source of the spam in the
message (see the recently passed Nevada anti-spam law for some good
language on this.) Screw technology on this one, if they defraud they
go to jail.

2. Let advertisers devise voluntary schemes profitable to all parties
involved.

So (hypotheticaly, if I were a spammer) if I rent a P.O. box from some
mailbox rental place using a fake ID, buy an account overseas with another
fake ID, and use that account to relay spam through old broken mail
servers all over the world...servers that don't insert in the header the
true IP of the sender...the FBI will somehow stop me? I suppose they
could steak out the P.O. box, but lots of spam doesn't involve sending
money. How about the offshore area codes (I think 809 was one) spammers
urge you to call to collect your free prize or avoid having your credit
record destroyed? You call and the telco bills you for them. They need
no presence in the US, and I'd therefore assume are untouchable by the
FBI.

Since none of this does my Cisco any good, shouldn't we move the
discussion to a more appropriate list, or create one for it?

Perhaps netop-spam...a spam discussion list for network operators? If it
doesn't already exist, I'll be happy to create it.

As noted previously, this _is_ on topic for nodlist@nodewarrior.net.

Cheers,
-- jra

[ On Sat, November 1, 1997 at 17:20:17 (-0500), Jay R. Ashworth wrote: ]

Subject: Re: Boy are we off-topic...was Re: Spam Control Considered Harmful

>
> Perhaps netop-spam...a spam discussion list for network operators? If it
> doesn't already exist, I'll be happy to create it.

As noted previously, this _is_ on topic for nodlist@nodewarrior.net.

I don't think anyone really wants to subscribe to yet another list, or
at least I don't, not without previewing it for a while and that's
rather hard to do if there's no browsable archives or something. It's
really too bad Usenet has more or less gone to the dogs.... Once upon a
long time ago I had hoped most mailing lists would go the way of the
wind and everyone would use Usenet for mulit-party discussion.