Large ISPs ponder spam [LWN.net]

The Anti-Spam Technical Alliance is a consortium of large Internet service providers, including Yahoo, Microsoft, EarthLink, American Online, and others. This group has just announced the publication of a set of guidelines intended to reduce the amount of spam in circulation; the document is available in PDF format. These ISPs carry enough network traffic between them that it's worth looking at their recommended policies. After all, if these carriers decide to screw up the net, they could succeed in making a big mess for everybody.

The recommendations, unsurprisingly, are aimed primarily at ISPs. For the most part, they are reasonably obvious stuff; they include:

Close open relays. Most people who run mail systems will have done this some time ago; anybody who doesn't finds it hard to send mail after a short while. The guidelines also recommend tightening access to open proxies.
Shut down formmail.pl. It is hard to imagine that systems running formmail are still out there, but they must be. The LWN web server gets a handful of attempts to use formmail.pl (which has never been installed there) every day.
Detect and disconnect zombie systems. This clearly has to be done; compromised systems are increasingly in demand as spam sources. Detection of such systems should be relatively easy, most of the time; one hopes, however, that ISPs will be careful when deciding just how active they want to be when looking for compromised systems.
Use authenticated email submission. The report also recommends pushing customers over to the mail submission port (port 587) for feeding email into the system. Separating out the submission step, again, allows for prior authentication. Of course, implicit in all of this is the idea that ISP customers are not to be allowed to directly send mail to remote systems.
Put rate limits on outbound email traffic. Recommended limits are 150 recipients per hour, up to 500 recipients per day. This idea has all kinds of problems, starting with the effect it will have on anybody running a mailing list.
Close down web redirector services. Evidently some redirection services are open to anybody who wants to use them; putting redirected URLs into spam helps make the message look more legitimate and hide the ultimate destination.
Set up and use spam reporting services.

There is also a set of recommendations for bulk mail senders, with ideas like "do not harvest email addresses," avoid forged headers, and provide clear opt-out instructions. The best recommendation, however (which would be "cease and desist") is absent. The "recommendations for consumers" section limits itself to suggesting the installation of firewalls and anti-virus software.

In one sense, these guidelines are a step in the right direction. They are an admission from a number of large ISPs that they must take responsibility for spam originating on their networks. In the best possible scenario, ISPs will take a higher level of interest in their contribution to the problem and shut their spammers down. In the worst case, however, we could see a significant reduction in what "normal users" are allowed to do on the net, major hassles for anybody wanting to run mailing lists or handle their own mail, and increasingly intrusive probes from ISPs which are ostensibly intended to root out compromised systems - all with a wink to "legitimate" bulk commercial emailers and no real reduction in spam volumes.

For now, at least, vast parts of the net are beyond the control of these large ISPs. That puts a limit on their ability to make a significant dent in the spam problem, but also in their ability to impose their own vision of how the net should work. Limits of that sort can only be a good thing.

to post comments

Large ISPs ponder spam

Posted Jun 24, 2004 3:39 UTC (Thu) by smoogen (subscriber, #97) [Link] (1 responses)

I think that in the current environment.. people who want to handle their own mail etc will have to pay for that priveledge. There isnt any sort of 'universal right' that one can run his own email services just because he can connect to an ISP. There is also no right not to be probed by an ISP or expect unlimited bandwidth because the cable modem could allow it. For that matter, for most of the world there is no right that the communication you send out isnt theirs to do what they please when it goes on their wire.

In order to 'get' such rights, people need to lobby and get them enacted into law. They need to move to ISP's that allow them the rights they want, or other ways.

In any case, I am expecting that in the US the Department of Homeland Security would use these guidelines as guidance for any US based ISP or for sites that use US networks to communicate elsewhere.

Large ISPs ponder spam

Posted Jul 1, 2004 16:37 UTC (Thu) by dunne (guest, #22552) [Link]

"There isn't any sort of 'universal right' that one can run
his own email services just because he can connect to an ISP."

Well, the whole point of the Internet is that "a host is a host
is a host", so once I buy connection from an ISP, I *can* run my
own e-mail services, or naything else I want (subject to bandwidth
charges, which is reasonable). I for one don't want to see the
Internet dumbed down into some kind of universal AOL. What's your
solution to alcoholism? Banning pubs?

Large ISPs ponder spam

Posted Jun 24, 2004 7:22 UTC (Thu) by Soruk (guest, #2722) [Link]

Although it is good advice to have firewall and antivirus software installed, most people miss the point that to be effective you should never allow your email client to bring up the network connection, instead bring it up manually and update your virus signatures before downloading your email.

How many email viruses have infected systems because this most simple of principles has been ignored?

-- Soruk

SPF, Domain Keys, and the like

Posted Jun 24, 2004 15:13 UTC (Thu) by ayeomans (guest, #1848) [Link] (4 responses)

Be careful of what you ask for. We can already authenticate mail senders using S/MIME, PGP or GPG. All that SPF and the like do is authenticate email postmarks. So if this became commonplace, the response of the spammers is simply to stop forging sender addresses and run their own domain, with completely legitimate SPF markers, all in some TLD that allows them to do so.

Result - very little difference in spam volume. Maybe you could filter by the domains used - but these will also come and go rapidly.

I suggest you follow the money with SPF/etc - a few years downstream, you will need to pay someone to get your sent mail approved, either for an SPF/etc signature from your ISP or for your own domain. It's like paying someone to throw away all your mail unless it was posted in the mailbox you paid to use.

SPF, Domain Keys, and the like

Posted Jun 24, 2004 16:11 UTC (Thu) by kitterma (guest, #4448) [Link] (3 responses)

If the spammers stop forging, then at least we have a better idea where to go and find them. It's a step in the right direction.

With SPF all I have to do is publish a TXT record for my domain. All that takes is a DNS or DNS services provider that will support TXT records. Not hard to find, not very expensive.

With SPF I have a way to try to protect my domain name. At least I can tell other organizations what MTAs are permitted to send e-mail for my domain. I can stop spam just fine with filtering. Spam isn't really much of a problem for me. What I want to stop is spammers forging my domain name.

If they stop forging, that's a good chunk of the battle.

Of course, on of the beauties of SPF is it's optional. If you don't like it, don't use it.

SPF, Domain Keys, and the like

Posted Jun 26, 2004 8:39 UTC (Sat) by shane (subscriber, #3335) [Link]

IIRC, some employees of the large ISPs pushing SPF-style authentication actually envision a "flag day" after which all domains must authenticate their mail relays.

I'm actually not really opposed to it, considering it is a small piece of setting up a mail infrastructure. I don't know if there will be a "critical mass" to force a conversion, but it'll be interesting to see - the IETF, for one, used to consider flag days a thing of the past on the Internet.

SPF, Domain Keys, and the like

Posted Jul 1, 2004 8:57 UTC (Thu) by job (guest, #670) [Link] (1 responses)

That is not true!

What's in their "From" address is completely uninteresting. Not only does
this not tell us anything about the spammmers whereabouts, it is also
very easy for spammers to create disposable addressses to evade
blacklists. Some people used to black list the "From" addresses but it
was a very bad idea and nobody does it anymore.

The source IP, on the other hand, is VERY interesting. Just "whois" the
IP and phone or mail the guy to stop (in practice, you mail his/her ISP
to shut them out). There are even services that can do this very easy for
you with a friendly web interface, like http://spamcop.net/ .

Adding SPF to that accomplishes ONLY that you can delete false bounces,
_nothing else_.

SPF, Domain Keys, and the like

Posted Jul 1, 2004 12:27 UTC (Thu) by kitterma (guest, #4448) [Link]

Today you are right. All blacklists work on the basis of the IP address because the From: (and other) addresses are virtually always forged.

I published an SPF record to try to protect my domain name from accusations of spamming. I'm not there yet as today publishing a -all record is a challenge, but the technology is in its infancy. I'll get there.

SPF is primarily about making forgery more difficult (including phishing). As far as spam goes there are only 3 possibilities:

SPF fail: It's a forgery - do not accept during SMTP session
SPF unknown: Don't know - keep on processing like there is no SPF
SPF pass: It's not a forgery, so now I know this is a spamming domain.

Yes, domain based blacklisting hasn't worked in the past because of forgery. SPF makes domain based blacklisting possible. Yes, spammers will get throwaway domains, but this does raise the transaction costs.

SPF isn't envisioned as a final solution to spam. It is a step.

Large ISPs ponder spam

Posted Jun 24, 2004 19:30 UTC (Thu) by Baylink (guest, #755) [Link] (4 responses)

If zombies are indeed responsible for $LARGE_PERCENTAGE of the spam, then Job 1 seems to be two pronged, for all ISP's, but especially broadband ones:

1) immediately block outbound access from your subscribers to port 25 on remote hosts, whether on- or off-net.

2) immediately reopen it for any specific user who asks.

The latter would likely require a little smarts on the DHCP front, but shouldn't remotely impossible.

And this would cut spam by half or more -- up to 80% in some reports? And it would take, what, a couple days for a couple guys?

C'mon; it's obvious.

(Smart-alec closing line goes here. :-)

Large ISPs ponder spam

Posted Jun 24, 2004 21:38 UTC (Thu) by smoogen (subscriber, #97) [Link] (3 responses)

Actually it shouldnt be too hard for them to do something like policy route all port 25 traffic out through mail-relays. These could then be stamped as being seen here last.. which would allow for better finding the zombies. Boxes that did send out more than the allotment could be turned off. Those who want more access can ask for it.

Restricting outbound SMTP

Posted Jun 25, 2004 0:59 UTC (Fri) by giraffedata (guest, #1954) [Link] (2 responses)

>Actually it shouldnt be too hard for them to do something like policy route all port 25 traffic out through mail-relays.

It sounds like you're talking not about routing IP traffic, but redirecting it to a different mailserver than the one to which it was addressed and then replacing it with what the ISP considers to be an equivalent mailing. That's no more palatable than just saying everyone has to send mail through the ISP's relay. Many Linux users want an ISP simply to route IP traffic into the Internet. I certainly do.

>Boxes that did send out more than the allotment could be turned off.

This is much, much harder than the original suggestion -- just allow outbound SMTP connections by request only. I agree that would all but solve the zombie problem. Very, very few of us would request that option, and very very few of those who did would become zombies.

Sadly, precisely because folks who want clear IP routing are such a small minority, what's actually going to happen is the ISPs will eventually turn off all routing except the few things that mainstream Windows websurfers need. There will not be any options. Options cost money.

Restricting outbound SMTP

Posted Jun 26, 2004 1:20 UTC (Sat) by Baylink (guest, #755) [Link] (1 responses)

Options cost money, yes, but the amount of money that option would cost would likely be epsilon compared to the amount of money they would *save* by not having to overprovision the links for the spam.

Anyone up for conspiracy theory?

It's Seagate and the carriers who are behind all the spam. :-)

Restricting outbound SMTP

Posted Jun 26, 2004 2:55 UTC (Sat) by giraffedata (guest, #1954) [Link]

Absolutely, but the point I made is that it is cheaper still to have no option, not overprovision for spam, and not allow anyone to connect to an extra-ISP SMTP server. I argue that this is a more likely eventuality than ISPs allowing people to opt in to SMTP routing.

Large ISPs ponder spam

Posted Jun 25, 2004 22:12 UTC (Fri) by barbara (guest, #3014) [Link]

What are the security problems with formmail.pl? According to Matt's
Script Archive (scriptarchive.com/formmail.html) the last security update
was April 2002. A quick Google check shows there were a lot of exploits
for the old versions, but are there known problems for the latest
version?

Barbara

Large ISPs ponder spam

Posted Jul 1, 2004 9:01 UTC (Thu) by job (guest, #670) [Link]

As long as the end users install untrusted software / spyware, nothing
will be accomplished with the authenticated schemes. The spamming
software will just route the mail through the normal, authenticated,
channels. And then all your fancy signatures will be good for nothing.

What _could_ be done, is that ISPs could start to actually populate the
abuse departments again. They used to react to spam reports by shutting
down the abuser, but most of customer service is too expensive now. And
they could check out the ten och hundred users sending out the most mail
each day, see if it's spam, and shut down the abuser. The abusers are the
most expensive customers anyway, you don't want those on your net.