SPAM, IEMMC, and Caller ID

Hi there -- I subscribed to this mailing list for the express purpose of
replying to things that have been said on the subject of unsolicited bulk
e-mail.

Phil Lawlor of AGIS has suggested that a "Caller-ID" type of functionality
be built into sendmail. Do I think that is a good idea? In a general sense,
it probably is -- accountability is a Good Thing, and a mechanism such as he
suggests will probably help situations where mailbombs, Denial of Service
attacks, or harrassment have occurred and the perpetrator has to be found.

Will it help reduce spam? Absolutely not. People will find ways to "block"
the "caller ID", and not everyone uses sendmail as a mail server anyhow.

Phil also mentioned that he spent a sizable sum of money on the IEMMC and it
ended up going nowhere. That might possibly be because the IEMMC was run,
apparently, by Walter Rines. Walter Rines is owner of Quantum
Communications, a big spamhaus that was (until recently) hosted by AGIS. I
question the wisdom of putting a spammer in charge of an organization that is
supposed to reduce spam levels for people who don't want to be spammed.

Would you put a convicted murderer in charge of a program designed to
rehabilitate criminals? Probably not.

Incidentally, Mr. Lawlor, if you really *are* participating in this
discussion because you are interested in lowering the level of spam that
gets dumped on the Net on a daily basis, I commend you for your change of
heart. Those of us who frequent the news.admin.net-abuse newsgroups would be
quite proud of you.

Incidentally, Mr. Lawlor, if you really *are* participating in this
discussion because you are interested in lowering the level of spam that
gets dumped on the Net on a daily basis, I commend you for your change of
heart. Those of us who frequent the news.admin.net-abuse newsgroups would
be quite proud of you.

I have mixed feelings.

I have had AGIS representatives (including Adam Hersh) tell me that I was
forging the spam I received, since their spammers would never break the rules.

When I said "Excuse me?" he watered it down to "well, most of the complaint
mail we get is forged... it complains about spam that was never sent."

I've had mailbombings from CyberPromo customers using my domain name to sneak
past AOL's filters, generating thousands of bounces into my postmaster box.
When I called AGIS's NOC to report it, an AGIS employee told me that after
asking on five seperate occasions for copies of the spam, that he'd received
none, and that AGIS was filtering most of their mail to discard anything that
had the word 'spam' or 'US Code 47' and other such strings in it. I should
call back in the morning when Adam could change the filters to let my mail
through.

I had AGIS employees tell me that the person who sent the above spam (whose
name, it was pointed out to me was in the copies of the Cyberpromo password
file posted to Usenet) was not a Cyberpromo customer when he had a working
autoresponder at Cyberpromo. Seems despite me asking them repeatedly to try
it, they never bothered. Instead, they called Sanford Wallace who told them
"um, no, he's not mine!".

And now, of course, I see AGIS is peering news with a site that has been
spewing 16k posts a day into Usenet that refuses to stop. Following standard
practice of alerting peers to a probable UDP is impossible considering that any
such complaint to AGIS is no doubt (as has been confirmed by AGIS employees)
auto-discarded.

AGIS has a lot of sins in the past, and despite Mr Lawlor's posts here, I find
they still have a long way to go before they can be considered a productive
member of the Internet.

Mr Lawlor's insistence on a technical solution to a people-problem is typical
of the same old sidestepping he's been doing for months.

I can positively identify spam coming from Sanford Wallace. Weee. So what
does that do for stopping spam? Sandy will change to relaying through servers
that don't digitally sign mail... and I either have to discard all mail from
any source that isn't signed or get his spew.

And then he'll change to using disposable dialups... wow, I can see
'jb12783@bellatlantic.net' is today's cyberpromo alias. It'll be digitally
signed so I can be sure. Again, that offers me no benefit.

What Mr Lawlor is arguing is that we should all have "white list mail" where we
list the people whom we accept mail from and discard anything else. And that
we should verify the identity of the sender against that white list.

That is the world that he lives in, where the mail to anyone at AGIS is most
likely discarded and complaints left unheard. It is NOT the sort of world I
want to live in.

Despite your recent predeliction for posting, Mr. Lawlor, I fear you have not
changed. You are still arguing that I should have to protect myself from the
thieves and vandals that you service and that you don't care if they abuse my
services.

It's a new wrapper on the same old AGIS song and dance and I'm not impressed.

I apologize in advance to the members of this list for answering this flame
bait. I will refrain from doing this as much as possible.

AGIS has a lot of sins in the past, and despite Mr Lawlor's posts here, I

find

they still have a long way to go before they can be considered a productive
member of the Internet.

AGIS is a VERY productive member of the Internet today, and has been since
before the NSF solicited a competive Internet backbone.

Mr Lawlor's insistence on a technical solution to a people-problem is typical
of the same old sidestepping he's been doing for months.

I've never sidestepped the issue. AGIS does not like spam. It never did
and it never will. We are seeking to solve the problem. The technical
problem *is* that spamming is done all too easily. I am afraid that
Congress could pass more unenforcable legislation, which would waste US
taxpayers money. As long as people can make money off of spam, they will.
If you can't clean up the spammer, than you have to start putting other
measures in place.

I can positively identify spam coming from Sanford Wallace. Weee. So what
does that do for stopping spam?

Then you can refuse it. You can take responsibility for yourself. You no
longer need to send out all those complaints, burdening the system even
greater. You have made my point for me. Thank you.

What Mr Lawlor is arguing is that we should all have "white list mail"

where we

list the people whom we accept mail from and discard anything else. And that
we should verify the identity of the sender against that white list.

First of all, I am not arguing. Secondly, do not put words in my mouth.
Thirdly, sendmail already has the capability to do just what you are
talking about. I am mainly concerned with forgery and hijacking.

That is the world that he lives in, where the mail to anyone at AGIS is most
likely discarded and complaints left unheard. It is NOT the sort of world I
want to live in.

Absolutely a patented lie. I can prove it by sending you back the
hundreds, if not thousands of complaints you have sent to my email address
alone, never mind all the other email addresses at AGIS you have been
abusing by sending to anyone at AGIS other than abuse@agis.net.

This mailing list is for network operators. We are discussing operational
issues, not political ones.

It's a new wrapper on the same old AGIS song and dance and I'm not impressed.

I'm *really* sorry I didn't impress you. Go back to your newsgroup.

Again, to the rest of the list, I apologize, and I will try to refrain from
engaging in this type of behavior on this list.

Phil Lawlor
President
AGIS
Voice - 313-730-1130
Fax - 313-563-6119

I apologize in advance to the members of this list for answering this flame
bait. I will refrain from doing this as much as possible.

Not flame bait. Statement of opinion. You've stated yours, I can state mine.

AGIS is a VERY productive member of the Internet today, and has been since
before the NSF solicited a competive Internet backbone.

Opinion.

>Mr Lawlor's insistence on a technical solution to a people-problem is
>typical of the same old sidestepping he's been doing for months.

I've never sidestepped the issue. AGIS does not like spam. It never did
and it never will. We are seeking to solve the problem. The technical
problem *is* that spamming is done all too easily. I am afraid that
Congress could pass more unenforcable legislation, which would waste US
taxpayers money. As long as people can make money off of spam, they will.
If you can't clean up the spammer, than you have to start putting other
measures in place.

Hosting CyberPromo helped control spam in what way? Allowing and in fact
encouraging them to spam through your network and host their autoresponders and
web sites helped control spam how? Clean up their web sites. Refuse to host
spammers in any way shape or form. Hosting the sites they run lets them make
money and encourages them.

>I can positively identify spam coming from Sanford Wallace. Weee. So
>what does that do for stopping spam?

Then you can refuse it. You can take responsibility for yourself. You no
longer need to send out all those complaints, burdening the system even
greater. You have made my point for me. Thank you.

I can by reading it. Are you going to pay me for the time to grep for the
hundreds of domains that would signify cyberpromo?

I don't believe I said I did the above by machine. You can take responsibility
for the time I've had to spend constructing spam traps for our users, for
ignoring the continued complaints of your customers violating the "IEMMC Rules"
by forging addresses and not using the relay machine that was supposed to
filter out addresses.

You haven't addressed the stories Adam or Derek Mason at your NOC have told me.

>What Mr Lawlor is arguing is that we should all have "white list mail"
where we
>list the people whom we accept mail from and discard anything else. And
>that we should verify the identity of the sender against that white list.

First of all, I am not arguing. Secondly, do not put words in my mouth.
Thirdly, sendmail already has the capability to do just what you are
talking about. I am mainly concerned with forgery and hijacking.

You're not arguing? You're not setting forth a proposal and trying to back it
up? Arguing a point does not mean putting up fists and yelling at the top of
your lungs. That you believe it to be so is interesting, though.

Sendmail has the ability to bounce all mail from AOL's mailer daemon to random
addresses at my domain without interfering with real bounces? It has the
ability to automatically update the list of known spam domains? It has the
ability to update the list of spam netblocks? Which MC option is that? Your
earlier comment about not knowing the capabilities of sendmail was more
accurate.

I've spent many hours tweaking my sendmail with databases of your IP blocks and
the domain names your customers use, but they move to dialups to plug their
services. As long as that web site, autoresponder or bulk mailer is on the
net, they make money.

"As long as people can make money off of spam", you say... well, deprive them
of that ability by shutting down what they are advertising.

This isn't rocket science. As long as the web site is there what stops them
from spamming? What stops them from getting a disposable dialup and spamming
from that?

Hint: authenticated email doesn't unless you white-list mail.

>That is the world that he lives in, where the mail to anyone at AGIS is
>most likely discarded and complaints left unheard. It is NOT the sort of
>world I want to live in.

Absolutely a patented lie. I can prove it by sending you back the
hundreds, if not thousands of complaints you have sent to my email address
alone, never mind all the other email addresses at AGIS you have been
abusing by sending to anyone at AGIS other than abuse@agis.net.

Not a lie, Mr. Lawlor, a statement of fact. Mail requested by dmason@agis.net
had to be sent five times to abuse@agis.net and his own personal address before
I gave up.. Mysteriously he found one of them in the morning. Perhaps you
don't /dev/null it all, just archive-and-ignore. You pull it out when asked,
but never actually bother to read it.

Certainly the MANY requests I made to have my domain get a domain opt-out were
ignored, as despite requesting it a multitude of times, I still got mail for
it, and it even passed through relay2.iemmc.org. I played your little web-page
game, I mailed about violations and never got a response. I phoned while being
mailbombed with 2500 bounces from AOL and was told it wasn't happening.

This mailing list is for network operators. We are discussing operational
issues, not political ones.

That's very nice. I have a nice little network in 4 states. We're about to
add peers at both the north and south ends and replace our basic star with a
neat mesh.

You're not discussing operational issues at all. You're proposing a secure
mail standard. Go talk to the IETF about it and write the RFCs. Be prepared
to get two reference versions of the software and spend years hoping people
upgrade clients (look at the long history of IMAP to see how slow a process
this is when an existing protocol is being superceded).

Operational issues would be unplugging people who abuse the services of others.

>It's a new wrapper on the same old AGIS song and dance and I'm not
>impressed.

I'm *really* sorry I didn't impress you. Go back to your newsgroup.

Actually, Mr. Lawlor, despite being active in nanae and other groups, I've been
on this list for months. The list owner can certainly verify that if she
wants.

I just finally got fed up with your claims that having a digital signature on
mail will somehow magically stop spam. It won't and you have yet to
demonstrate how it will do such. Again, how does it help me to know that the
disposable-spammer-account-of-the-day is some rented account at bellatlantic or
netcom or whoever. I don't CARE what they authenticated as.

The -only- way such information would be useful would be to construct white
lists. Since you seem to think different, explain what use it would be.

Again, to the rest of the list, I apologize, and I will try to refrain from
engaging in this type of behavior on this list.

Right.

Honestly Mr. Moore, this is wholly unnecessary, as my daily cron could tell
you;

echo "Fetching cyberpromo SPAM filter file:"
fetch ftp://ftp.cybernothing.org/pub/abuse/cyberpromo.domains

Anyone got any marshmallows? I'm enjoying the flames but it just
isn't the same without food.

If you can positively identify the individual, you can say you don't want
to accept mail from that person, regardless of where the account is. If
the system I described were in place, you could decide to accept mail based
on criteria that the certifying authority places on those whose
certificates it signed, and you would never have to know the individuals
or their ISPs ahead of time. For example, you could say you only wanted
to accept mail from either people you specifically wanted (your white list),
or from any unknown people that were certified by having a notarized copy
of their driver's license (or whatever), which would then allow you to
specifically exclude particular people you didn't want to receive mail from.

In an ideal world we wouldn't have to worry about this, we could just all
be open and friendly and accept mail from whoever. However, it is no longer
that way on the Internet and will never be again. I agree that implementing
a scheme digitally signing mail is a vast undertaking that would never be
entirely complete. However, I see no alternative in the long run. Your
suggestion will always require a large amount of manual effort and you will
always be playing catchup with the spammers. Using schemes such as Vixie's
blacklist is difficult for an ISP as it presupposes what individual customers
will want -- some of them certainly do not want to lose connectivity to a
portion of the Internet, even if it means exposing them to spam. After all,
we can all certainly be free of spam by simply unplugging the wire, but the
cost is obviously too high.

John Tamplin Traveller Information Services
jat@Traveller.COM 2104 West Ferry Way
205/883-4233x7007 Huntsville, AL 35801

If you can positively identify the individual, you can say you don't want
to accept mail from that person, regardless of where the account is. If
the system I described were in place, you could decide to accept mail based
on criteria that the certifying authority places on those whose
certificates it signed, and you would never have to know the individuals
or their ISPs ahead of time. For example, you could say you only wanted
to accept mail from either people you specifically wanted (your white
list), or from any unknown people that were certified by having a
notarized copy of their driver's license (or whatever), which would then
allow you to specifically exclude particular people you didn't want to
receive mail from.

Okay, suppose I bought into this. CMC.NET is now stamping a PGP-signed
X-Authenticated-User: line on mail. We'd have to distribute keys for us
somehow. I guess the obvious solution is to add a resource type to DNS.

Now, suppose you've never gotten mail from CMC.NET. How would you know just
what our requirements for an account are? (For the record, we do require a
personally signed contract and current state-issued ID or drivers license.)

We'd have to have yet another signatory to stamp our record as meeting that
qualification and they would have to verify it.

Basically, we'd be moving to a 'virtual' white list, scattered about like DNS
with various authorities overseeing the validity of records. Who would define
those authorities. How would they be monitored? Who watches the Watchmen?

I'll believe such a system will work when something like DNS is more reliable.

Never mind the huge difficulty in getting a 'new improved' standard to be
accepted. Heck, SMTP sucks in implementation quite often (as I write this, I'm
being deluged with piles of mail from a broken Lotus Notes gateway, and odds
are so are others posting to this list). It's highly difficult in the chaos
that is the Internet to make new protocols work unless you're the first or
damned lucky. Again, note how long it's taken IMAP to be noticed by vendors
and how just now they're realizing it's a pretty nifty protocol.

[List owner... please shoot the person on this gateway:
Received: from merit.edu by uprr-internet.notes.up.com
  (PostalUnion/SMTP(tm) v2.1.9c for Windows NT(tm))
  id AA-1997Oct29.204929.1155.1272450; Wed, 29 Oct 1997 20:49:29 -0500]

In an ideal world we wouldn't have to worry about this, we could just all
be open and friendly and accept mail from whoever. However, it is no
longer that way on the Internet and will never be again. I agree that
implementing a scheme digitally signing mail is a vast undertaking that
would never be entirely complete. However, I see no alternative in the long
run. Your suggestion will always require a large amount of manual effort

What suggestion? Unplugging spammers is my suggestion. Do not harbor them, do
not encourage them, do not sell to them. Cheap and easy. It has been Mr.
Lawlor's suggestion in the past to just use tcp wrappers or sendmail rules to
deny spammers, but then kept moving around netblocks and refusing to tell
people where their spammers were. I've only done it because it was effective
in stopping some of their spew.

If you believe Mr. Lawlor, his own system hasn't been effective, since I've
gotten "hundred or thousands" of pieces of spam despite it.

and you will always be playing catchup with the spammers. Using schemes
such as Vixie's blacklist is difficult for an ISP as it presupposes what
individual customers will want -- some of them certainly do not want to lose
connectivity to a portion of the Internet, even if it means exposing them to
spam. After all, we can all certainly be free of spam by simply unplugging
the wire, but the cost is obviously too high.

Why is it too high? It's quite simple to deny service to those that can't be
responsible. Doing so is quite effective. A couple examples:

kiki9@ix.netcom.com was told to quite spamming "her" website ads or she'd lose
her hosted site. She'd been spamming from disposable accounts for MONTHS. The
spam has since stopped from her.

Although Cyberpromo and Pals have been booted from AGIS, they could easily go
get a 28.8k disposable account somewhere and continue their spew. But they
haven't managed to do that and have been blissfully quiet. Why? No
autoresponders. No web sites.

Mr. Lawlor was right in one point: Spammers do it to make money. Take away
their ability to make money and the problem ceases. It -is- something network
operators of various sizes can and do daily, whether it is a dialup customer or
a DS3 connected site. It has been done for YEARS going back to the days of
people complaining about MUD and IRC traffic on the NSF backbone not being
'eductational'.

This whole talk of digitally signed mail has nothing to do with NANOG (it is an
IETF issue as I pointed out once) and will do nothing to stop spam unless one
is willing to whitelist.

[ On Wed, October 29, 1997 at 20:08:53 (-0500), Steve Sobol wrote: ]

Subject: SPAM, IEMMC, and Caller ID

Will it help reduce spam? Absolutely not. People will find ways to "block"
the "caller ID", and not everyone uses sendmail as a mail server anyhow.

Oh, but it will, just so long as the system ensures that the "blocked
caller ID" is clearly identified as such. Here in Bell Canada territory
such calls arrive with "private" names and/or numbers so I just don't
answer them. This technique, in combination with some system of
recording the names/numbers of known telemarketers who don't block their
caller ID and I don't ever have to answer one of their calls. The only
problem was with the recent political campaigns where the parties had
volunteers call from their own homes to canvas for votes.

Indeed if it weren't for third-party relay spam I wouldn't receive any
at all as I currently block all mail where I cannot verify the sender
through the DNS and I filter all connections from known spammers.

>Mr Lawlor's insistence on a technical solution to a people-problem is typical
>of the same old sidestepping he's been doing for months.

I've never sidestepped the issue. AGIS does not like spam. It never did
and it never will. We are seeking to solve the problem. The technical
problem *is* that spamming is done all too easily. I am afraid that

You are correct, but from the outside, it looks as if agis has offered
itself as a safe haven for spammers. Spammer's IPs are not SWIPed,
traceroute doesn't work to them, and a long history of spamming is
apparantly no obstacle to getting an agis circuit.

Congress could pass more unenforcable legislation, which would waste US
taxpayers money. As long as people can make money off of spam, they will.
If you can't clean up the spammer, than you have to start putting other
measures in place.

In my opinion, that's 100% correct. But these other measures needn't be
limited to measures you and agis are comfortable with. If you habitually
provide connectivity to spammers, you are part of the problem.

As a practical matter, you are going to get hammered by (at least)
unpleasant email from people who are frustrated with the way spammers step
on them. You facilitate that. Unfortunately if you lay down with
pigs you get muddy. An occupational hazard.

>does that do for stopping spam?

Then you can refuse it. You can take responsibility for yourself. You no

One can't refuse spam without using bandwidth. Is someone going to
send me a check for the tens of thousands of spam emails my mail server
rejected? I'll hold my breath.

longer need to send out all those complaints, burdening the system even
greater. You have made my point for me. Thank you.

I think the more significant point was made when agis evicted cyberpromo.
It did far more to reduce 'burdening the system' when it stopped all that
CP spam traffic and the traffic associated with complaints about CP.

talking about. I am mainly concerned with forgery and hijacking.

How concerned are you? Are you concerned enough to disconnect people
which use agis for webfarms, while doing their forging and hijacking from
throw-away ppp accounts outside of agis?

Too bad you aren't mainly concerned with delousing your network.

Bill