Update on mail bombing threats--not so funny

Vadim_Antonov3 · January 9, 1997, 9:19pm

There is no use to attempt to find legal fixes for massive spam and other
flooding attacks. The spam sources will simply move out of U.S.
and will start loading international circuits with their crap.

I.e. the legal cure will only make spam even more annoying, but won't
stop anybody.

Why won't we concentrate on doing technical solutions? Fortunately,
it is relatively easy to get rid of the flooding attacks by reducing
their effectiveness to nothing.

The solution is source address filtering at edges, to relieve attackers
from the benefit of forged source addresses, and reverse lookup
authentication in MTAs -- just do not accept any mail coming from an
invalid source address, or source address not corresponding to what
is in Sender, Reply-To or From field.

That will arguably break some setups (for example, when outgoing mail
leaves hosts directly, but return mail comes thru a centralized server);
but that can be fixed.

That scheme is obviously not bullet-proof, but neither are locks on the
doors. They do deter crime, though.

BTW, the e-mail sender address authentication would also do wonders for
non-flooding variety of spammers -- getting tons of angry mail from the
targets of the spam does have some effect. Also, it gives ISPs ability
to identify abusers, and create a black list of people not to have any
business with, and a legitimate reason to refuse service to them.

There's a historical precedent in doing source address authentication
which initially broke service for a lot of peple, but ultimately made
Internet a saner place -- the FTP archive at UUNET at some time started
requiring that reverse DNS lookups should provide correct names.
Oops -- nobody with broken reverse zones could access it.

Now, the question is how to make people to actually implement it. I guess
the big providers should consider it in their best interest -- or they'll
eventually get politicians and lawyers on their heads.

--vadim

Allan_Chong1 · January 9, 1997, 10:10pm

Vadim Antonov wrote:

One possible solution is just to have recourse after the fact.
If you as an ISP have their credit card/phone billing, and have
a policy that explicitly states that either:

1) you will charge $100/hr to cleanup revenge email that they
were responsible for directly.

2) you will charge them $.25/message for every mail message over
1000 sent outgoing (this doesn't handle using another sites mail
server).

3) you charge for bandwidth or something like that making sure you
set the limits such that normal dialup users won't see any charges.

Even despite the inevitable chargebacks, many spammers would decide that
fighting with the credit card company isn't worth it.

There are a lot of ISPs spending a large amount of time/$ tracking
down this sort of thing and in the end it isn't very productive.
I see a general lack of policy for dealing with spam almost
everywhere.

allan

Mike_Leber · January 9, 1997, 10:31pm

Why won't we concentrate on doing technical solutions?
[good source authentication proposal deleted]

This would solve the forged email problem excellently. (Assuming you can
get past the installed base of over 50(?) million SMTP email addresses,
although only a few of those actually have a source domain different from
the mail gateway.)

However, the spaming problem is another. I see three generations of
spammers.

The 1st Generation Spammer (Direct)

From address matches sender. Spammer expects to pick up mail at the from

address. Cancelling account thwarts spammer. Easy to cover in TOS.

The 2nd Generation Spammer (Indirect Via Internet)

From address is different than sender. For this type of spam promoting

web sites, the actual site being promoted is on a different network than
spam is sent from. For this type of spam requiring a response, response
email address is usually a dropbox or autoresponder service with a
"spammer friendly" TOS. Source email account used is disposable.
Requires more complex TOS for network hosting actual site to terminate
service.

The 3rd Generation Spammer (Indirect Via Non Internet)

From address can be anything. Response is via 900 phone number, 800 phone

number taking credit cards, or international number with builtin premium
($20 for the first minute). Alternatively, less sophisticated 3rd
generation spammers use fax, regular telephone, or postal mail (only the
really dumb ones every use postal mail, because of the amount of law). No
Internet resource is used as part of ordering.

I have received a couple of these 3rd generation spams recently.

Mail authentication is not going to prevent hit and run 3rd generation
spams.

An additional feature (hehe) in sendmail that would hinder hit and run
operators would be flood suppression on a user by user basis (ibm.net
could have used this). For example, a rule such that no user can send
more than 1000 messages per day (configurable of course).

Mike.

+------------------- H U R R I C A N E - E L E C T R I C -------------------+

Mike_Leber · January 9, 1997, 10:40pm

Even despite the inevitable chargebacks, many spammers would decide that
fighting with the credit card company isn't worth it.

Uh, you have this backwards. If you read most credit card merchant
agreements, online services have no recourse, without a physical signature
from the customer, against chargebacks for online service. This is
because they are treated as phone orders where the presumption is in the
customers favor.

Mike.

+------------------- H U R R I C A N E - E L E C T R I C -------------------+

Allan_Chong1 · January 10, 1997, 11:15am

Mike Leber wrote:

> Even despite the inevitable chargebacks, many spammers would decide that
> fighting with the credit card company isn't worth it.

Uh, you have this backwards. If you read most credit card merchant
agreements, online services have no recourse, without a physical signature
from the customer, against chargebacks for online service. This is
because they are treated as phone orders where the presumption is in the
customers favor.

By chargeback, I meant to the merchant. But it still was a hassle
on a simple chargeback I did. I probably wasted 5 hours writing
letters and on the phone to make it stick.

The technical reasons Vadim gives are essential, to ensure that
everything is as it appears, but what does the ISP do when one
of their users does something. Most don't have any clear cut
policy. When the spam is coming from the network of a paying
business customer, operators often have to start tiptoeing lightly.
We're going to see more balkanization of the net as operators have to
start deciding between the good ISPs and bad ISPs.

allan
3 posts in a day. I must be getting old and grumpy.

Alex_P_Rudnev · January 10, 1997, 11:38am

Sorry, but what are you doing with the uninteresting adv. shits
in you usial mail-box? I found daily 2 / 3 such papers, and I prefere
to brote them into my wasterbacket instead of writing a lot of
complains... Sometimes I found something interesting, anyway.

Except some cases of the massive SPAM it's better choice.
Just now I see unadequate behaviour of some network administrators
when 1 (_ONE_) unnessesary message cause 10 / 20 messages (written bu this administrator)
complained about this advertisment (you are naming it _spam_). This cause
us to much more troubles then simple 'D' (or 'REMOVE') command.