Spam Control Considered Harmful

Cal Thixton - President - ThoughtPort Authority of Chicago put this into my mailbox:

  In an effort to research from where we get spammed, we get a
daily report (see below) of the sites that spammed us, who they were
trying to spam and from where they came from. The most frequent
pattern we are seeing are spams from simple dialup PPP accounts
purchased all across the country; AT&T, UUNET, SWBell, BellSouth,
etc... I know where they came from and yet knowing that does not
help. We cannot block all of UUNET just because some ppp customer
used our servers to spam.

This has been my experience too.

Is there a good reason why the throwway folks (those mentioned above)
haven't blocked port 25 from their dialups to the outside internet?

It seems that this would help stop the hijacking of other SMTP relays
that occurs, and limit abuse to that ISP's own servers, where it can
be better controlled.

The only reason I can think of that would stop this would be if a
user subscribes to earthlink, but uses a UUnet dialin, that customer's
software would be set up to use the Earthlink SMTP servers.

Keep in mind again I don't yet know much about how this would impact
router performance..but wouldn't one be able to set up access-lists,
then, that would allow port-25 connections to a defined list of SMTP
servers (say, UUnet, MSN, and earthlink SMTP servers), and prohibit
everything else?

Why aren't they doing this?

I've currently blocked all of UUnet and PSInet from my mail server -
spam about dropped in half. But I'm still getting spam through
what appear to be unsuspecting relays - and the source is one of those
dialup, throwaway accounts.

-dalvenjah

Is there a good reason why the throwway folks (those mentioned above)
haven't blocked port 25 from their dialups to the outside internet?

We are an ISP and we don't block our dialups from going to port 25 elsewhere
because this would eliminate their ability to rightfully use another mail
server. This frequently occurs when a user accesses a mail server at work
from their home dialup account. If other ISPs did this, we would have a
problem where a user dialing into their ISP couldn't reach their virtual
mail server, hosted on our network. We currently don't have many going
the other way, but that may change.

The only reason I can think of that would stop this would be if a
user subscribes to earthlink, but uses a UUnet dialin, that customer's
software would be set up to use the Earthlink SMTP servers.

In our case, this doesn't help since we and all the other local ISPs block
relay access, so you have to use the mail server of the ISP you are
currently connected to.

John Tamplin Traveller Information Services
jat@Traveller.COM 2104 West Ferry Way
205/883-4233x7007 Huntsville, AL 35801

Is there a good reason why the throwway folks (those mentioned above)
haven't blocked port 25 from their dialups to the outside internet?

This is on point.

As long as the dialup providers do not see fit to impose _some_ sort of
filtering on the outgoing mail of their customers, at least until the
account is validated, this crap will continue.

The only reason I can think of that would stop this would be if a
user subscribes to earthlink, but uses a UUnet dialin, that customer's
software would be set up to use the Earthlink SMTP servers.

The instance of multihomed dialup customers can be dealt with without
letting throwaway accounts cause the problem that they do, if the
providers cared to do so. Personally, I think that blackholing entire
commercial providers will solve the problem. I'd use a filter that
bounced headers back to postmasters with a note explaining why the
filter was in place. In fact, I may well do just this on my system...
a Spaminator<tm> is in planning here, and we're not a paid system, so I
can get away with more than some folks.

I've currently blocked all of UUnet and PSInet from my mail server -
spam about dropped in half. But I'm still getting spam through
what appear to be unsuspecting relays - and the source is one of those
dialup, throwaway accounts.

See above.

Until a concensus is reached on a legal way to force the administrations
of these dialup providers to behave in a reasonable, ethical manner
(cooperating with people engaging in fradulent behavior, when there's a
method with a low bar to entry to avoid it, is unethical), this problem
will continue to be of the order of magnitude it currently is.

I think it will get fixed the first time some ISP is named as an
accessory in a fraud suit, but I don't want to wait that long.

Cheers,
-- jra

> Is there a good reason why the throwway folks (those mentioned above)
> haven't blocked port 25 from their dialups to the outside internet?

We are an ISP and we don't block our dialups from going to port 25 elsewhere
because this would eliminate their ability to rightfully use another mail
server. This frequently occurs when a user accesses a mail server at work
from their home dialup account. If other ISPs did this, we would have a
problem where a user dialing into their ISP couldn't reach their virtual
mail server, hosted on our network. We currently don't have many going
the other way, but that may change.

This is roughly akin, though, isn't it, John, to the cache pollution
problems that make it pretty much a requirement to run 2 separate
nameservers: one for recursion and caching, and the other to be
authoritative?

Run a separate relay server, with some authentication, for users
connecting from outside your AS.

> The only reason I can think of that would stop this would be if a
> user subscribes to earthlink, but uses a UUnet dialin, that customer's
> software would be set up to use the Earthlink SMTP servers.

In our case, this doesn't help since we and all the other local ISPs block
relay access, so you have to use the mail server of the ISP you are
currently connected to.

Hold it. Didn't you just say the opposite above?

I think I'm confused.

Cheers,
-- jra

> We are an ISP and we don't block our dialups from going to port 25 elsewhere
> because this would eliminate their ability to rightfully use another mail
> server. This frequently occurs when a user accesses a mail server at work
> from their home dialup account. If other ISPs did this, we would have a
> problem where a user dialing into their ISP couldn't reach their virtual
> mail server, hosted on our network. We currently don't have many going
> the other way, but that may change.

This is roughly akin, though, isn't it, John, to the cache pollution
problems that make it pretty much a requirement to run 2 separate
nameservers: one for recursion and caching, and the other to be
authoritative?

Run a separate relay server, with some authentication, for users
connecting from outside your AS.

The point is there can be no useful authentication for outgoing email if
you don't block it by IP address. However, that is a discussion about
blocking spam relay, not about blocking outgoing SMTP. If we install a
filter at the router that blocks all traffic from dialup connections to
port 25 anywhere else, then it doesn't matter how many servers we run they
can't get to another SMTP server, even if they are supposed to be doing it.

> > The only reason I can think of that would stop this would be if a
> > user subscribes to earthlink, but uses a UUnet dialin, that customer's
> > software would be set up to use the Earthlink SMTP servers.
>
> In our case, this doesn't help since we and all the other local ISPs block
> relay access, so you have to use the mail server of the ISP you are
> currently connected to.

Hold it. Didn't you just say the opposite above?

He offered an example of a customer that has dialup access to two ISPs,
and wants to connect to the SMTP server of the one he isn't currently
connected to. Because of the relay blocking that we and all the other ISPs
in town implement (and hopefully ISPs elsewhere), the customer can't do that
anyway.

What I said above is that there are other examples that our customers expect
to work, specifically connecting to an SMTP server at work or connecting to
a virtual domain hosted at another ISP (in our case it is primarily the
vdom user dialup into another ISP and accessing the site here), that is
why we can't block all traffic from dialup to port 25 anywhere.

I think you are confusing the issue of blocking unauthorized relay access
to your SMTP server, which is easy to do based on CIDR blocks, with that of
preventing dialup customers from relaying through the SMTP servers of others.
The difficulty in the latter is finding a way to determine what SMTP servers
they are supposed to have access to and then implementing that in a router
access list.

John Tamplin Traveller Information Services
jat@Traveller.COM 2104 West Ferry Way
205/883-4233x7007 Huntsville, AL 35801

> This is roughly akin, though, isn't it, John, to the cache pollution
> problems that make it pretty much a requirement to run 2 separate
> nameservers: one for recursion and caching, and the other to be
> authoritative?
>
> Run a separate relay server, with some authentication, for users
> connecting from outside your AS.

The point is there can be no useful authentication for outgoing email if
you don't block it by IP address. However, that is a discussion about
blocking spam relay, not about blocking outgoing SMTP. If we install a
filter at the router that blocks all traffic from dialup connections to
port 25 anywhere else, then it doesn't matter how many servers we run they
can't get to another SMTP server, even if they are supposed to be doing it.

Oh, ok. Sorry. Right. I misread the other gentleman's suggestion.

> Hold it. Didn't you just say the opposite above?

He offered an example of a customer that has dialup access to two ISPs,
and wants to connect to the SMTP server of the one he isn't currently
connected to. Because of the relay blocking that we and all the other ISPs
in town implement (and hopefully ISPs elsewhere), the customer can't do that
anyway.

Right. Got it.

What I said above is that there are other examples that our customers expect
to work, specifically connecting to an SMTP server at work or connecting to
a virtual domain hosted at another ISP (in our case it is primarily the
vdom user dialup into another ISP and accessing the site here), that is
why we can't block all traffic from dialup to port 25 anywhere.

Rog. On deck now.

I think you are confusing the issue of blocking unauthorized relay access
to your SMTP server, which is easy to do based on CIDR blocks, with that of
preventing dialup customers from relaying through the SMTP servers of others.
The difficulty in the latter is finding a way to determine what SMTP servers
they are supposed to have access to and then implementing that in a router
access list.

Right. Of course, that's a Small Matter of Administration.

Cheers,
-- jra

[ On Wed, October 29, 1997 at 18:14:38 (-0600), John A. Tamplin wrote: ]

Subject: Re: Spam Control Considered Harmful

> Is there a good reason why the throwway folks (those mentioned above)
> haven't blocked port 25 from their dialups to the outside internet?

We are an ISP and we don't block our dialups from going to port 25 elsewhere
because this would eliminate their ability to rightfully use another mail
server.

That's all fine and dandy just so long as you trust your customers and
you are certain they will adhere to your AUP.

However if you offer cheap dial-up accounts that can be opened either
immediately, perhaps with a credit card number, then you've got no real
way to establish *any* level of trust with your new customers and indeed
the only way you can enforce your AUP is by technical means. I.e. if
your AUP says no spamming then you *must* implement controls that
prevent new customers from spamming. Period. Otherwise Joe Spammer
just buys a one-time (throw-away) account from you and violates your AUP
under false pretenses. I've even heard first-hand rumours that many
spammers offer fraudulent credit card numbers and personal
identification so you can't even try to bill them extra for breaking
their contract.

This frequently occurs when a user accesses a mail server at work
from their home dialup account. If other ISPs did this, we would have a
problem where a user dialing into their ISP couldn't reach their virtual
mail server, hosted on our network. We currently don't have many going
the other way, but that may change.

There's no excuse for this. The user should (and must in the proposed
plan) use the mail relay operated by the ISP they dial into for *all*
outgoing mail.

Only under a full roaming system where authentication information
originates from the "home" ISP can you allow the user to connect to any
other mail relay server, and in fact in this case you probably want to
restrict them to only thie rhome ISP's mail relay server and not allow
them to use your own local mail relay server.

In our case, this doesn't help since we and all the other local ISPs block
relay access, so you have to use the mail server of the ISP you are
currently connected to.

Exactly, so what's the problem?

[ On Wed, October 29, 1997 at 21:53:52 (-0600), John A. Tamplin wrote: ]

Subject: Re: Spam Control Considered Harmful

[....]
The difficulty in the latter is finding a way to determine what SMTP servers
they are supposed to have access to and then implementing that in a router
access list.

There should be no difficulty at all in doing this. If they dial into
your network then they use your outgoing mail relay server, and yours
alone. Period. (Unless you have some kind of agreement in a roaming
system where you authenticate your own users to someone else's dial-up
and vice versa, in which case you only allow the user to connect to the
the "home" ISP's mail relay host(s).)

Yes, there is. It's a question of span of administrative control.

If I decided to allow my users to make use of their telecommunting
connectivity for personal use, I _do not want them_ using my mail
server for that, so as to avoid any potential liability for my company
under any theory. Sure, use the great high bandwidth connection, but
get your mail and news services from a commercial provider.

But then, you're probably the type that thinks an A record isn't enough
to route mail, too...

Cheers,
-- jra

> We are an ISP and we don't block our dialups from going to port 25 elsewhere
> because this would eliminate their ability to rightfully use another mail
> server.

That's all fine and dandy just so long as you trust your customers and
you are certain they will adhere to your AUP.

However if you offer cheap dial-up accounts that can be opened either
immediately, perhaps with a credit card number, then you've got no real
way to establish *any* level of trust with your new customers and indeed
the only way you can enforce your AUP is by technical means. I.e. if
your AUP says no spamming then you *must* implement controls that
prevent new customers from spamming. Period. Otherwise Joe Spammer
just buys a one-time (throw-away) account from you and violates your AUP
under false pretenses. I've even heard first-hand rumours that many
spammers offer fraudulent credit card numbers and personal
identification so you can't even try to bill them extra for breaking
their contract.

There are costs of allowing spam and costs of stopping spam. If the costs
of stopping it exceed the cost of allowing it, then obviously it is in our
best interest to allow it. For example, there is a 100% certain way of
stopping spam -- unplug the wire. However, the fact that we are all here
attests to the fact we deem this too high a cost for the benefit gained.

In our case, there are legitimate uses that customers expect to be able to
do, and we are unwilling to lose their business. (More below).

If a spammer supplies a fraudulent credit card number, they have just
committed a crime and can be prosecuted for that. The spam they send out,
to be useful, must have a way of contacting them so that leaves a way to
track down who they are. If a spammer wants to risk jail time to send out
some bulk email, anything I do isn't going to stop him. You don't see junk
faxes since it was made illegal.

If they do supply their own credit card number, we charge $1 per intended
recipient for any outgoing spam. That can quickly cost them more than they
get from it and thus serves as a significant disincentive for them to spam.

> This frequently occurs when a user accesses a mail server at work
> from their home dialup account. If other ISPs did this, we would have a
> problem where a user dialing into their ISP couldn't reach their virtual
> mail server, hosted on our network. We currently don't have many going
> the other way, but that may change.

There's no excuse for this. The user should (and must in the proposed
plan) use the mail relay operated by the ISP they dial into for *all*
outgoing mail.

Ok, a customer is paying for a virtual domain service. They want their
outgoing mail to appear as if they are running their own mail server, they
don't want people to know they are using someone else for it. If they use
their other ISP for SMTP relay, that shows up in the outgoing mail. I
agree this is a minor issue for me, but it is not for some of our
customers and since the customer is paying the bill, he gets what he wants.

> In our case, this doesn't help since we and all the other local ISPs block
> relay access, so you have to use the mail server of the ISP you are
> currently connected to.

Exactly, so what's the problem?

I was simply saying that the example the original poster gave wasn't valid,
but that there were other examples which explain why it is infeasible to
implement blocking all access to port 25 elsewhere.

John Tamplin Traveller Information Services
jat@Traveller.COM 2104 West Ferry Way
205/883-4233x7007 Huntsville, AL 35801

[ On Thu, October 30, 1997 at 10:02:49 (-0500), Jay R. Ashworth wrote: ]

Subject: Re: Spam Control Considered Harmful

> There's no excuse for this. The user should (and must in the proposed
> plan) use the mail relay operated by the ISP they dial into for *all*
> outgoing mail.

Yes, there is. It's a question of span of administrative control.

If I decided to allow my users to make use of their telecommunting
connectivity for personal use, I _do not want them_ using my mail
server for that, so as to avoid any potential liability for my company
under any theory. Sure, use the great high bandwidth connection, but
get your mail and news services from a commercial provider.

I think you're beginning to get the full picture!

Yes, by forcing your users to use your outgoing mail relay server you
are assuming liability for their actions and thus also assuming
responsibility for controlling and limiting their actions.

If you cannot provide externally visible audit trails that clearly show
who is accountable for originating the mail then you must assume any
liability for allowing that anonymous person to send such mail.

My off the cuff rule to date for determining where I point the finger is
to check and see who the IP address for the originating network is
assigned to (i.e. in whois).

[ On Thu, October 30, 1997 at 13:42:46 (-0600), John A. Tamplin wrote: ]

Subject: Re: Spam Control Considered Harmful

Ok, a customer is paying for a virtual domain service. They want their
outgoing mail to appear as if they are running their own mail server, they
don't want people to know they are using someone else for it. If they use
their other ISP for SMTP relay, that shows up in the outgoing mail. I
agree this is a minor issue for me, but it is not for some of our
customers and since the customer is paying the bill, he gets what he wants.

If a customer is paying you for virtual domain service then you'll: a)
probably have a much more substantial relationship with the customer
than you would with an ordinary dial-up user, and thus much stronger
contractual arrangements to ensure they abide by your AUP; and b) be
telling those special customers to use a special outgoing mail relay
that properly masquerades as the virtual host, i.e. not your generic
outgoing mail relay used by your average ordinary dial-up users.

[ On Wed, October 29, 1997 at 15:12:46 (-0800), Dalvenjah FoxFire wrote: ]

Subject: Re: Spam Control Considered Harmful

The only reason I can think of that would stop this would be if a
user subscribes to earthlink, but uses a UUnet dialin, that customer's
software would be set up to use the Earthlink SMTP servers.

This should only present a minor complexity. If the authentication
information can be retrieved from the correct home ISP then there should
be no trouble identifying that ISP and adding the right filter to their
profile.

Keep in mind again I don't yet know much about how this would impact
router performance..but wouldn't one be able to set up access-lists,
then, that would allow port-25 connections to a defined list of SMTP
servers (say, UUnet, MSN, and earthlink SMTP servers), and prohibit
everything else?

One more filter rule in the existing list for preventing IP spoofing
shouldn't make any significant difference.

Why aren't they doing this?

Probably because they're not preventing IP spoofing yet either.

Yes, that is precisely what we do. However, what I pointed out was that
if the ISP they dial into blocked all traffic to port 25 elsewhere, as
was suggested, then they wouldn't be able to get to their virtual host
residing here to send out mail.

John Tamplin Traveller Information Services
jat@Traveller.COM 2104 West Ferry Way
205/883-4233x7007 Huntsville, AL 35801

[ On Fri, October 31, 1997 at 09:29:11 (-0600), John A. Tamplin wrote: ]

Subject: Re: Spam Control Considered Harmful

Yes, that is precisely what we do. However, what I pointed out was that
if the ISP they dial into blocked all traffic to port 25 elsewhere, as
was suggested, then they wouldn't be able to get to their virtual host
residing here to send out mail.

One easy way around this problem is to forge closer relationships with
the ISPs your customers use for connectivity. One of the easiest ways I
can think of doing this would be to become a member of a roaming service
like iPass and through that become a virtual ISP where you effectively
purchase connectivity time from dial-up providers and resell it to your
users. Then since you're providing the authentication of your users you
can also provide in their profile a list of SMTP relay hosts that they
should be permitted to connect to. Your users would then be free to
choose to dial into any iPass dial-up provider anywhere in the world at
any time without even needing an account opened with the particular
dial-up provider they happen to be able to get through to today.

If your contract with them states that you will charge their credit card
$500 for spamming and they agree to the contract, I'll bet they won't spam
from the account. All of a sudden the account is not "throw away"

[ On Fri, October 31, 1997 at 15:09:57 (-1000), netsurf@pixi.com wrote: ]

Subject: Re: Spam Control Considered Harmful

If your contract with them states that you will charge their credit card
$500 for spamming and they agree to the contract, I'll bet they won't spam
from the account. All of a sudden the account is not "throw away"

That's what I'd like to see indeed!

Unfortunately there are lots of more-or-less legal ways out of such
things, not to mention the illegal ways. They could easily use a
temporary card, or even run it up to the limit before spamming, etc.,
etc. I too would like to think there are ways to encourage users to
follow the AUP, but in the end hard technical limits are still the best.

Mabye you have to be like the phone company and charge a $500 deposit on
all new accounts until some history has been established that indicates
you're at least trustworthy on the surface.

I couldn't resist this:

  [snip - about charging $500 spam-penalty.]

Mabye you have to be like the phone company and charge a $500 deposit on
all new accounts until some history has been established that indicates
you're at least trustworthy on the surface.

  They do. Their name is NTT, Its about 670$ (72000yen) per
  line and your chances of getting it back are nil[1].

  this gets you 1 analogue line right. (for a bit more, you
  can have an ISDN line which is what I have now ..)

  Peter

They do. Their name is NTT, Its about 670$ (72000yen) per
     line and your chances of getting it back are nil[1].

heh, there _are_ a few things i don't miss about japan, and this is
one of them. bathrooms that aren't big enough to turn around in are
another...

                                        ---rob