Re: Lazy network operators
there are three replies here. [EMAIL PROTECTED] (Robert Blayzor) writes: ... Having our techs/engineers go through the abuse@ box every day to play hide and seek is a bit of an agonizing task that nobody really wants, especially at the volume it is today. If there was a standard that worked for this, we would certainly follow it. the wonderful trouble about standards is that there are so many to choose from. spamcop has one. IETF's INCH may become another one. but until a good open source toolbox comes out for sending, receiving, filing, ticketing and measuring incident reports in some such format, it won't catch on. As it is today, we have got to find something simple that works for the legit issues and something that doesn't burn up so many engineer/tech cycles. i understand that position. but http just isn't a solution. before you deploy a forms-based approach, consider being more honest than that, and just bouncing all mail to abuse@ with a we can't handle the internet message. [EMAIL PROTECTED] (Eric A. Hall) writes: Standardized scripts would also be abused. yes, of course they would. just like spamcop is the target of many joejobs, and the majority of IDS vendors still think SMTP headers are trustworthy. the good open source toolbox i postulated above would have to include a distributed membership model whereby network owners only accept complaints from entities they already know and trust, which would mean their own customers and their BGP peers. if you get abuse on THAT channel then you have recourse (disconnection, depeering, whatever). i've been writing since 1998 that a robust abuse reporting format and a complaints-follow-contracts submission path would cut abuse growth by 50%. but i guess in 1998 that didn't seem like an attractive enough goal. can you hear me now? [EMAIL PROTECTED] (Steven Champeon) writes: ..., but I don't see how disabling RFC-mandated role accounts will do anything but further erode confidence in ISPs' willingness to respond to complaints. two things. an rfc cannot mandate -- all internet standards are optional from the point of view of a network owner (or end user or implementor) -- and compliance is only necessary for locally selfish reasons (like being able to buy or sell services or products, for example.) and, isp's are already unwilling to respond to complaints, even those they could pick out of the dreck flowing into their abuse@ mailboxes, since doing this would only benefit their competitors. think about it -- you spend money on an abuse desk whose purpose is to shut down your customers; your competitor who spends less money on an abuse desk ends up with more revenue since that's where your spamming customer go when you shut 'em down. As of today, fully 60% of my incoming mail is spam; 30% are bounces from accept-then-bounce servers; and we're quickly approaching 99% spam for several of the domains we host mail for. 60%? luxury! The last thing we need is for ISPs to deal with their inbound problem by ignoring abuse reports or making it more difficult for victims to report spam or viruses originating from their networks. that time is past. -- Paul Vixie
Re: Lazy network operators
EAH Date: Mon, 12 Apr 2004 12:20:01 -0500 EAH From: Eric A. Hall EAH today. If there was a standard that worked for this, we would EAH certainly follow it. EAH EAH Standardized scripts would also be abused. #include pki-and-trusted-peers-debate.h Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Lazy network operators
PV Date: 13 Apr 2004 06:04:04 + PV From: Paul Vixie PV [EMAIL PROTECTED] (Steven Champeon) writes: PV PV SC As of today, fully 60% of my incoming mail is spam; 30% PV SC are bounces from accept-then-bounce servers; and we're PV SC quickly approaching 99% spam for several of the domains PV SC we host mail for. PV PV 60%? luxury! Note 30% stupid bounces. I also suspect ~9% mailing lists. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Anyone alive at ALTDB?
messages to db-admin have so far gone unanswered.
Re: Lazy network operators
Vixie writes: since we're talking about laziness, let's look at two ways in which we (nanog members and others like us around the world) have been lazy, for decades, and have therefore helped to create the current miserable abuse situation. Paul, let me add one more to your list: As a community, we have been too lazy to take hold of the architectural source of the problem, which is the complete lack of accountability over the ability to post email. This is not a technical issue (although I can hear echos from the long past x.400 community already), it's simply a service definition issue. As a community, we've designed an end-to-end mail protocol(SMTP) and opened it up to everyone. The reality is that the vast majority of end-user customers connected to the Internet have one or two email servers, and there is no reason to allow client connections to port 25 for posting. If ISP's simply filtered port 25 by default except from specified servers, there wouldn't be a huge base of client systems to tap into for robo-farms for spamming. Of course, this breaks the end-to-end model of the Internet... Too bad. End-to-end makes sense in some contexts, and it doesn't in others. This is the latter case. In reality, lots of folks have plenty of good reasons to want open access to port 25 from their entire prefix. That's also fine, *as long as you accept responsibility for what is sent*. Want both wide open access and complete deniability? That's the option we presently have, and frankly, it doesn't scale. /John
Re: Lazy network operators
On Tue, 13 Apr 2004, John Curran wrote: Vixie writes: since we're talking about laziness, let's look at two ways in which we (nanog members and others like us around the world) have been lazy, for decades, and have therefore helped to create the current miserable abuse situation. The reality is that the vast majority of end-user customers connected to the Internet have one or two email servers, and there is no reason to allow client connections to port 25 for posting. If ISP's simply filtered port 25 by default except from specified servers, there wouldn't be a huge base of client systems to tap into for robo-farms for spamming. Hi John, I dont think this is a fair assessment of the SMTP 'abuse' problem.. its a lot more complicated, blocking port 25 will not reduce the volume of spam at all. Most of the spam I'm seeing comes directly from end user hosts that have either an open proxy on them or some kind of malware with its own SMTP engine designed to send out junk.. in this model the only port 25 traffic is that from the end host coming outwards, I believe you're suggestion is to filter port 25 towards hosts. Even blocking the outbound 25 traffic (eg pushing it via the ISP SMTP relay) will not stop the emails. It is possible to extend this and implement some sort of statistical sanity checking on the mail being relayed (eg alarm/deny mail once it exceeds X/minute/host) which is potentially a workable solution.. I'd be interested if theres any patches to the major MTAs to do something with this (we use exim) as it could be an interesting test. Of course this model throws up new problems you need to address such as roaming users not being able to smtp via their 'home' ISP via auth'd SMTP, making sure you dont filter ISP-ISP port 25 traffic etc Steve
Re: Lazy network operators
At 8:39 PM +0100 4/13/04, Stephen J. Wilcox wrote: Most of the spam I'm seeing comes directly from end user hosts that have either an open proxy on them or some kind of malware with its own SMTP engine designed to send out junk.. in this model the only port 25 traffic is that from the end host coming outwards, I believe you're suggestion is to filter port 25 towards hosts. Even blocking the outbound 25 traffic (eg pushing it via the ISP SMTP relay) will not stop the emails. It is possible to extend this and implement some sort of statistical sanity checking on the mail being relayed (eg alarm/deny mail once it exceeds X/minute/host) which is potentially a workable solution. Steve, I'm very much suggesting blocking outward to the Internet port 25 traffic, except from configured mail relays for that end-user site. Those hosts which have MSTP malware are stopped cold as a result. /John
RE: Lazy network operators
We do that here, and I agree it should be a standard practice from the dialup/broadband/etc. provider standpoint. Aren't some of the newer malware/viri using the SMTP setting out of the email client to send through now to get around that anyway? It really shouldn't matter though. I'd rather be: a.) blocking the port 25 traffic and b.) virus scanning the outbound mail, than dealing with the thousands of Your user tried to hack my system. I'm calling the FBI on you. messages. Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Curran Sent: Tuesday, April 13, 2004 3:53 PM To: Stephen J. Wilcox Cc: [EMAIL PROTECTED] Subject: Re: Lazy network operators At 8:39 PM +0100 4/13/04, Stephen J. Wilcox wrote: Most of the spam I'm seeing comes directly from end user hosts that have either an open proxy on them or some kind of malware with its own SMTP engine designed to send out junk.. in this model the only port 25 traffic is that from the end host coming outwards, I believe you're suggestion is to filter port 25 towards hosts. Even blocking the outbound 25 traffic (eg pushing it via the ISP SMTP relay) will not stop the emails. It is possible to extend this and implement some sort of statistical sanity checking on the mail being relayed (eg alarm/deny mail once it exceeds X/minute/host) which is potentially a workable solution. Steve, I'm very much suggesting blocking outward to the Internet port 25 traffic, except from configured mail relays for that end-user site. Those hosts which have MSTP malware are stopped cold as a result. /John
Re: Lazy network operators
On Tue, 13 Apr 2004, John Curran wrote: I'm very much suggesting blocking outward to the Internet port 25 traffic, except from configured mail relays for that end-user site. Those hosts which have MSTP malware are stopped cold as a result. NNTP is set up almost everywhere with configured server to server connections, and essentially all open NNTP user access has been closed down over the years. How is the spam problem on USENET these days?
Re: Lazy network operators
Sean == Sean Donelan [EMAIL PROTECTED] writes: Sean NNTP is set up almost everywhere with configured server to Sean server connections, and essentially all open NNTP user access Sean has been closed down over the years. Sean How is the spam problem on USENET these days? It's not nearly as bad as it was at its peak, but it's still very much present. -- Andrew, Supernews http://www.supernews.com
Re: Lazy network operators
On 13-apr-04, at 22:32, Sean Donelan wrote: I'm very much suggesting blocking outward to the Internet port 25 traffic, except from configured mail relays for that end-user site. Those hosts which have MSTP malware are stopped cold as a result. NNTP is set up almost everywhere with configured server to server connections, and essentially all open NNTP user access has been closed down over the years. How is the spam problem on USENET these days? I've been on Usenet again for a while last year and there was surprisingly little spam compared to some years back. Apparently some people have taken it upon themselves to remove all the spam that pops up. NTTP is at an advantage over SMTP here because personalizing messages for each recipient isn't possible here. Talking about lazy: blocking port 25 is very lazy, in several ways: intelectually, morally and just plain way. It's intellectually lazy because there are other ways to arrive at the same result that don't arbitrarily block communications between two consenting hosts. Morally it's lazy to assume that just because you don't need something, others won't either. And of course having all those access networks install filters rather than work on the problem yourself is just plain lazy. If we all agree that we don't want to talk SMTP to broadband consumers, it shouldn't be too hard to come up with a registry that lists IP addresses used by broadband consumers. Or maybe it's easier to work the other way around and list the servers we actually may want to talk to. This approach has two main advantages over filtering port 25: 1. People can still talk to unlisted SMTP hosts if they feel they have a good reason to do so (ie, I get to deliver messages directly to my server from home rather than being forced to use my service provider's which may or may not work) 2. Checking is done per SMTP session rather than per IP packet The good news is that the IETF is now starting work on this, so expect results in two or three years.
Cr/Hackers Strike Advanced Computing Networks
This was covered in the Washington Post, but the real information is on Stanford's web site. http://securecomputing.stanford.edu/alerts/multiple-unix-6apr2004.html
Re: Lazy network operators
At 11:15 PM +0200 4/13/04, Iljitsch van Beijnum wrote: This approach has two main advantages over filtering port 25: 1. People can still talk to unlisted SMTP hosts if they feel they have a good reason to do so (ie, I get to deliver messages directly to my server from home rather than being forced to use my service provider's which may or may not work) You're right... Rather than simply having you tell your provider that you're responsible and having port 25 outward opened up, the freedom for anyone to send to port 25 on an ad-hoc basis like we have today is a better idea. Today's spam isn't a problem; everything's working as designed. The good news is that the IETF is now starting work on this, so expect results in two or three years. Great idea: here's a case where we need less connectivity and better operational practices, but rather than take that task on, we should do more protocol work. The reality is that the vast majority of email is handed off to a designated mail relay (whether we're talking about consumer connections or office environments), and if we actually configured connectivity in this matter, there wouldn't be a problem. /John
Re: Lazy network operators
The reality is that the vast majority of email is handed off to a designated mail relay (whether we're talking about consumer connections or office environments), and if we actually configured connectivity in this matter, there wouldn't be a problem. our innate fear of this stems from suspicion of centralization and the telco switch model. this fear is not clearly unjustified. maybe we can get reasonable security without a police state? randy
Re: Lazy network operators
In message [EMAIL PROTECTED], John Curran writes: The reality is that the vast majority of email is handed off to a designated mail relay (whether we're talking about consumer connections or office environments), and if we actually configured connectivity in this matter, there wouldn't be a problem. John, the problem is deciding who is an *authorized* email sender. For example, I own a machine in a random rack -- can it send email? The way I operate, it sometimes needs to -- I often set up tunnels to it from my laptop and from other machines in banned address ranges, and let it send my email. For that matter, it hosts several IETF and personal mailing lists. Now assume that someone in some strange and wondrous part of the world has a similar need. Are they authorized? According to whom? There have been a lot of authentication-based and filter-based schemes proposed, but I've yet to see a scheme that solves the authorization problem satisfactorily. Not everyone wants to (or is able to) entrust their email to a a Tier 1 ISP; if nothing else, the Tier 1s would charge for the privilege. --Steve Bellovin, http://www.research.att.com/~smb
Re: Lazy network operators
When evaluating spam solutions, the first thing I ask is, Does this empower users? If the answer is no, it's probably the wrong solution. -- Chris Palmer Staff Technologist, Electronic Frontier Foundation 415 436 9333 x124 (desk), 415 305 5842 (cell)
Re: Lazy network operators
At 5:38 PM -0700 4/13/04, Chris Palmer wrote: When evaluating spam solutions, the first thing I ask is, Does this empower users? If the answer is no, it's probably the wrong solution. That's definitely the right idea to start with... The question is, do you change approach after a decade without progress? /John
Re: Lazy network operators
At 8:36 PM -0400 4/13/04, Steven M. Bellovin wrote: Now assume that someone in some strange and wondrous part of the world has a similar need. Are they authorized? According to whom? Steve, you're authorized if you say you are and agree to accept responsibility. Most corporations would readily provide the addresses of their mail servers; anyone on DSL or cable connection could do the same. But by changing the default behavior to block port 25 until requested, you could readily address the spam problem. It would take some work on the part of operator community (hence the subject), and doesn't fit in the world wide commune perspective of networking, but it would make the Internet far more useful for everyone. /John
Re: Lazy network operators
At 10:13 PM -0400 4/13/04, joshua sahala wrote: so the malware writers start using port 80 through open proxies...they do already. or they go after the im client ports more. there are ways to send mail if 25 is blocked to me Yep, there's no doubt we'd have to deal with the next round of creative approaches. I'd still wager we'd see a major decrease in spam as a result of some simple configuration. /John
Re: Lazy network operators
In message [EMAIL PROTECTED], John Curran writes: At 8:36 PM -0400 4/13/04, Steven M. Bellovin wrote: Now assume that someone in some strange and wondrous part of the world has a similar need. Are they authorized? According to whom? Steve, you're authorized if you say you are and agree to accept responsibility . Most corporations would readily provide the addresses of their mail servers; anyone on DSL or cable connection could do the same. But by changing the default behavior to block port 25 until requested, you could readily address t he spam problem. It would take some work on the part of operator community (hence the subject), and doesn't fit in the world wide commune perspective of networking, but it would make the Internet far more useful for everyone. The spammers are already creating throw-away domains; they'd do the same with mail sender authorizations. I am Spam, Spam I am -- and send their turds and run. --Steve Bellovin, http://www.research.att.com/~smb
Re: Lazy network operators
The spammers are already creating throw-away domains ... registrar-hat=on yup. i've been watching today's crop-o-spam. its pretty consistent, within 48 hours of a buy the domain shows up in a body of a spam, and the buy is for just one year. my business customers almost always throw 10 year buys at me. my intra-registrar proposal is that we make these point at someplace novel, and make domain name persistency shorter than a year on the value-flow side of spam models.
Re: Lazy network operators
On Wed, 14 Apr 2004, Randy Bush wrote: The reality is that the vast majority of email is handed off to a designated mail relay (whether we're talking about consumer connections or office environments), and if we actually configured connectivity in this matter, there wouldn't be a problem. our innate fear of this stems from suspicion of centralization and the telco switch model. this fear is not clearly unjustified. There are also plenty of legitimate reasons to permit earthlink/juno/mindspring dialup users to hit mail relays on their own domains. For instance, when on travel how does John Curran access his istaff.org email? (presuming no 'ssh to my shell server and use pine/elm/mh/mailx) maybe we can get reasonable security without a police state? What will the jack-booted-thugs do then? :)
Re: Lazy network operators
At 11:11 PM -0400 4/13/04, Steven M. Bellovin wrote: The spammers are already creating throw-away domains; they'd do the same with mail sender authorizations. I am Spam, Spam I am -- and send their turds and run. Steve, this is not an authorization problem. I know that is how you like to characterize it. Yes, any spam house will simply say, please open the door, and have it done. I don't claim to attempt to validate the customer intent, and this doesn't address that portion of the problem. The problem is one of the default network behavior. Giving every PC default access to every mail server, combined with the state of individual machine security, results in situation where spammers can harvest farms of open machines which can originate email. If we can fix this by changing default behavior to make such machines less useful to hackers, while still allowing anyone who wants to originate to do so at will via configuration, what is the harm? To date, the most vocal objections have come from architectural purists and manufacturers of disk storage. /John
Re: Lazy network operators
maybe we can get reasonable security without a police state? What will the jack-booted-thugs do then? :) tell us how to close down other parts of the net so they can control and profit from them
RE: Lazy network operators
Steven M. Bellovin wrote: The spammers are already creating throw-away domains; Indeed, a little stockpile has never hurt anybody; by registering them now they'll even have some that have been registered for 11 months when they use them in March 2005. There already are RHSBLs lookup shops that attempt to block these as well. they'd do the same with mail sender authorizations. True; although they will not suppress spam mail sender authorization schemes do have two advantages: a) they will curb some (from the dumber spammers that still send their crud on behalf of [EMAIL PROTECTED]) and b) they will seriously reduce phishing schemes on behalf of ebay.com or mybank.com. Michel.
Re: Lazy network operators
[EMAIL PROTECTED] (Chris Palmer) writes: When evaluating spam solutions, the first thing I ask is, Does this empower users? If the answer is no, it's probably the wrong solution. right now the spammers are holding the users hostage: if you want to be able to read mail from people/hosts you've not been formally introduced to, then you have to swallow our swill also. that's somewhat the opposite of empowerment. if a spam solution can take away that crisis and the expense is that my dsl-connected end host has to tunnel its e-mail to someplace out in www.vix.com/personalcolo then that's a tradeoff i can live with. -- Paul Vixie
Re: Lazy network operators
[EMAIL PROTECTED] (John Curran) writes: The question is, do you change approach after a decade without progress? Based on my archives of this and related mailing lists... nope. -- Paul Vixie
RE: Lazy network operators
John Curran wrote: If we can fix this by changing default behavior to make such machines less useful to hackers, while still allowing anyone who wants to originate to do so at will via configuration, what is the harm? Besides architectural purity (which still bears weight) the problem is that configuration costs money. I have my own SMTP server at home because I'm not happy with my ISP's smarthost. That same ISP can't reverse-lookup my static IP to return a PTR that has my domain name in it, explain me how they will build a filter that un-filters port 25 for my IP and does not for the next one. Michel.
Re: Lazy network operators
[EMAIL PROTECTED] (Eric Brunner-Williams) writes: yup. i've been watching today's crop-o-spam. its pretty consistent, within 48 hours of a buy the domain shows up in a body of a spam, and the buy is for just one year. my business customers almost always throw 10 year buys at me. the only people who benefit from the current pricing model are registrars. if domains cost $300 a year we'd have less than 1% of the number we have now, but the ones we have would actually get used. i have never received mail from a domain ending in .biz that was not spam, for example. -- Paul Vixie
Re: Lazy network operators
On Wed, 14 Apr 2004, Randy Bush wrote: maybe we can get reasonable security without a police state? What will the jack-booted-thugs do then? :) tell us how to close down other parts of the net so they can control and profit from them Ah-ha! too bad that mean old IAB says we can't filter traffic :) (or advises against it, or thinks it's a bad idea...) In all seriousness, the consumer dial/broadband folks had to take actions like port/25 filtering (inbound and outbound actually) to address spam issues with these systems. This is unfortunate for those folks out there that 'need' smtp access to something other than the blessed email servers of their dial/broadband provider(s). Making a more sensible solution for email than the current SMTP, or finding a middle ground that works for dial/broadband users would sure be nice. Any 'port 25' filtering is really just a short term solution until all spambots use locally configured SMTP settings to bypass the filtering :( (atleast that seems to be the case with the spamwar in general, a constantly escalating war of technologies) Perhaps finding a way to make spam non-profitable, or to put enough of the high-end spammers in jail? this seems like a daunting task I must admit :( -Chris
Re: Lazy network operators
On (13/04/04 15:52), John Curran wrote: I'm very much suggesting blocking outward to the Internet port 25 traffic, except from configured mail relays for that end-user site. Those hosts which have MSTP malware are stopped cold as a result. so the malware writers start using port 80 through open proxies...they do already. or they go after the im client ports more. there are ways to send mail if 25 is blocked to me /joshua -- When in danger, or in doubt, run in circles, scream and shout. - unknown -
