Re: How do you stop outgoing spam?
At 01:33 AM 9/18/2002 -0400, Barney Wolff wrote: 3. SMTPAUTH does not require an alternate port, yet it is sufficient for ensuring accountability. Hence it is sufficient for dealing with the reason that port 25 is blocked, without requiring that it be blocked. I don't understand this reasoning. The ISP's justification for blocking 25 except to its own servers is to avoid having its facilities used for abuse. How would the local ISP enforce use of SMTPAUTH to connect to some remote ISP? the claim is that outbound 25 is blocked to prevent spam. however accessing a remote 25 with smtpauth ensures full accountability and, therefore, prevents spam. blocking 25 disables use of this mechanism. d/ -- Dave Crocker mailto:[EMAIL PROTECTED] TribalWise, Inc. http://www.tribalwise.com tel +1.408.246.8253; fax +1.408.850.1850
Re: How do you stop outgoing spam?
At 11:27 AM 9/18/2002 -0400, Greg A. Woods wrote: NO. Remote port-25 access, with or without SMTPAUTH, implies raw unencrypted plain old TCP/IPv4, in which case there is no connection integrity and thus no accountability. I guess the last 20 years of Internet use have been entirely invalid then. Too bad the 100 million current Internet users do not know that. d/ -- Dave Crocker mailto:[EMAIL PROTECTED] TribalWise, Inc. http://www.tribalwise.com tel +1.408.246.8253; fax +1.408.850.1850
Re: How do you stop outgoing spam?
At 01:09 PM 9/18/2002 -0400, Greg A. Woods wrote: I guess the last 20 years of Internet use have been entirely invalid then. Not necessarily -- it's a matter of what level of risk is acceptable in a given scenario. Thank you. That was my point. It therefore is essential to pay attention to fixing only real-world problems that have an operational basis -- or an extraordinarily unacceptable downside -- before imposing significant change on a large installed base of users. However we've now reached a point where spammers resort daily to theft of service against remote mail server and to direct attacks against target remote mail servers. As bad as that is, it is a long way from stealing connections. Entirely different technical basis. The current situation is technically trivial. Stealing connections is not. Perhaps that is why the former happens all the time and the latter does not. You're pointing out that some users don't want to live with that more restrictive framework. I am pointing out that there is a balancing act to perform, and that 100 million users is more than some. And lest you note that all 100 million are not mobile, and that some mobile users are not inconvenienced, I'll respond that whatever the number is, the impact on mobile hotspot users should finish the question about scale of the impact. I.e. you can do what you want to do if you use the right tools, but you can't do it over TCP port 25. If you think a bit harder about your assertion, you will realize that the port number neither creates nor restricts the protection. All that changing the port number does is to impose guaranteed inconvenience on the entire population of mobile users. Too bad the 100 million current Internet users do not know that. Indeed it is. Your kind of F.U.D. doesn't help any either. Noting the impact on the installed base of Internet users is FUD? And by the way... For all the supposed benefit of port blocking -- eg, we don't see as much dial-in spam sourcing -- do we have less spam in the world? Is spam less of a problem? So the inconvenience to mobile users has not solved or even reduced the global problem. Mechanisms for controlling globe-scaled misbehaviors need to be surgical in the care with which they are chosen and applied. Outbound port blocking is a blunt instrument and it is swung blindly. d/ -- Dave Crocker mailto:[EMAIL PROTECTED] TribalWise, Inc. http://www.tribalwise.com tel +1.408.246.8253; fax +1.408.850.1850
Re: How do you stop outgoing spam?
On September 18, 2002 at 00:01 [EMAIL PROTECTED] (Dave Crocker) wrote: the claim is that outbound 25 is blocked to prevent spam. however accessing a remote 25 with smtpauth ensures full accountability and, therefore, prevents spam. blocking 25 disables use of this mechanism. Part of the disagreement here is basically one of calibration, how serious and desparate the spam problem is perceived to be. One attraction of blocking port 25 is that you can now say to the any spam complaints about your users demanding an answer WE DON'T ALLOW PORT 25 ACCESS SO IT MUST BE SOMETHING ELSE and get on with your day rather than sitting and staring at the headers like tea-leaves trying to formulate a reasoned reply. Over and over and over and over and over and over and over and over and over and over and over and over (get my point?) And maybe that quick answer would even be true. Also, with blackhole lists, many running on automatic and hair-trigger, it lessens the chance that some excess mouth doesn't manage to get your entire ISP blackholed or at least makes it easier to make your case. Think about it: Some little dork with a pc can manage to get your ISP onto some widely used blackhole list and then your phones and email complaint lines really light up. Nothing like a few hundred extra customer complaints an hour to get your attention. It sucks, Dave, it doesn't suck just a little bit, it sucks kinda like anthrax in the mail sucks, spam is a wrecking ball which is successfully taking down the internet we once knew. If you find that hard to believe I invite you to sit here in my offices. I guarantee you your words at the end of the day will be oh my f***ing god, I just didn't understand how bad it really is. And it gets worse daily. If something doesn't come along and stop it I predict in 5 years e-mail will only work in gated communites (corporate LANs) etc and the net will basically become this passive electronic billboard system. Blocking port 25 is kinda like the post office requiring packages over 1lb not be put in mailboxes or banning pocket knives on planes, it's become so trivial relative to the actual problem it's hardly worthwhile discussing. -- -Barry Shein Software Tool Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
Re: How do you stop outgoing spam?
On Tue, Sep 17, 2002 at 08:35:03PM +0200, [EMAIL PROTECTED] said: [snip] Much more complex to implement and manage; doesn't scale well. The fewer decisions the anti-spam system has to make, the better it will work. If it only has to decide whether or not a specific IP/port combination has exceeded a certain threshold, it will run much more smoothly than if it's examining the contents of each packet. Indeed, that will be a lot more scalable. But if you still have to look into each packet to see which ones are link encrypted (and therefore should be left alone) and which ones aren't (and therefore should be transparent proxied and/or traffic-shaped), that is quite a bit more work. The question is how much abuse is too much? Is it okay to allow all open port 25 connections (traffic-shaped to low average bit-rates), or is any abuse too much? Even the best solution will only approach 100% effectiveness as a limit. As in many things, it's a tradeoff - how much hassle are you willing to undergo for a steadily-diminishing return, 80/20 rule, etc. Personally, I'd be happy for 80% of the operators out there to implement the easiest 80% of things required to stop spam. If people would just take even the most basic of steps required to block spam, the picture would improve drastically for all of us. -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui msg05449/pgp0.pgp Description: PGP signature
Re: How do you stop outgoing spam?
At 10:26 AM -0700 2002/09/15, Dave Crocker wrote: 2. The issue with email is authentication, not privacy. Authentication can be achieved can be achieved easily over port 25, without encryption. Hence, blocking port 25 blocks legitimately validated email, as well as possible spam. True enough. However, there are no intelligent transparent proxies that I know of which will allow authenticated and/or link-encrypted port 25 connections through to the indicated site, and shunt the non-authenticated/non-encrypted sessions to the side. Since this information is only available at the IP level, this is not something you can fix inside the SMTP MTA -- the critical information is destroyed before then. I imagine if you could get cisco (and other vendors) to fix their transparent proxy server software to be more intelligent, that would fix the problem. -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)
Re: How do you stop outgoing spam?
On Tue, 17 Sep 2002 18:30:36 +0200, Brad Knowles said: I imagine if you could get cisco (and other vendors) to fix their transparent proxy server software to be more intelligent, that would fix the problem. I suppose suggesting the use of port 587 would be pointless? ;) msg05422/pgp0.pgp Description: PGP signature
Re: How do you stop outgoing spam?
On Tue, Sep 10, 2002 at 08:10:46AM -0400, Marshall Eubanks [EMAIL PROTECTED] replied to Iljitsch van Beijnum [EMAIL PROTECTED]: [snip] When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book to the local ethernet if at all possible (that's why I like Global Gossip) and use high bit rates (i.e., file transfers) in both direction. Would the uploads be HTTP? That's the only thing I'd want to limit to a few kbps. (Well, and outgoing SMTP to 0 kbps.) When I am at a cafe I use a web based encrypted email program, and if I email a large attachment (say a pdf file), then it goes http outbound. The other major outbound bandwidth use is scp (very rarely, ftp or ssh). I do not really see what the touch typing limit is relevant to - whose primary Internet use is telnet /ssh now-a-days ? I'd estimate that my time is divided between SSH sessions (maybe 75%) and everything else ( mostly web browsing instant messaging (more text)), with music streaming generally going on in the background fairly constantly. YMMV - but text is pretty far from dead. :) On the other hand, I'm pretty far removed from (not to mention vastly outnumbered by) your average AOL-subscribing casual Net surfer. The OP was asking for solutions to blocking outbound spam. The most apparent (to me, anyway) is to rate-limit SMTP (or deny SMTP to dialup/dynamic addresses altogether; I have yet to see a convincing argument for allowing dialup users to run SMTP servers at this point in time). While that may take care of relay raping, there's still the HTTP problem to contend with (although I bet it's considerably less of a problem). I would imagine a traffic analysis of a spammer using HTTP and casual surfing (or even large file transfers) would reveal some pretty significant differences that could be used to implement some shaping or rate-limiting. Again, when I go to a cafe in another city, I am generally there to get some work done, and frequently have a bunch of previously prepared files to send. I may not be a typical user... Me neither. :) Hopefully this discussion is proving useful to the OP. -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui msg05423/pgp0.pgp Description: PGP signature
Re: How do you stop outgoing spam?
At 1:00 PM -0400 2002/09/17, [EMAIL PROTECTED] wrote: I imagine if you could get cisco (and other vendors) to fix their transparent proxy server software to be more intelligent, that would fix the problem. I suppose suggesting the use of port 587 would be pointless? ;) Yup. He's specifically talking about the blocking of port 25. Talking about any other ports is besides the point. -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)
Re: How do you stop outgoing spam?
On Mon, Sep 09, 2002 at 11:31:44PM +0200, [EMAIL PROTECTED] said: [snip] At 10:08 AM -0700 2002/09/09, John M. Brown wrote: How do you determin what is spam ? Not trying to be difficult or start another bloody thread. It would seem to me that in order to create an off the shelf non NOC-updating solution, you would have to beable to define what is spam and then you could detect it. Spam is bulk, by definition. It doesn't work otherwise. Remove the capability for bulk and you have eliminated the problem (or at least forced it elsewhere). Rate limiting outbound SMTP is still the best technical solution I have seen in this thread, and requires little to no upkeep on an ongoing basis. As soon as you start examining the contents of mail, you have increased the effort required by an order of magnitude. You could transparently proxy port 25 for all outgoing traffic, and then run spamassassin on that machine (collection of machines). You could do a slightly modified version to look at the traffic on port 80. Not only would you be looking for standard spam keywords, but you would also be looking at spam reports from other people (e.g., Vipul's Razor), so this should continue to adapt as the spam attacks change. Much more complex to implement and manage; doesn't scale well. The fewer decisions the anti-spam system has to make, the better it will work. If it only has to decide whether or not a specific IP/port combination has exceeded a certain threshold, it will run much more smoothly than if it's examining the contents of each packet. However, I also like the idea of doing a bandwidth budget on a per machine basis, with short term bursts allowing for most normal activity. *nod* -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui msg05426/pgp0.pgp Description: PGP signature
Re: How do you stop outgoing spam?
On Mon, Sep 09, 2002 at 06:15:12PM -0700, [EMAIL PROTECTED] said: Rafi Sadowsky wrote: Maybe I'm missing something obvious but do how you get rate-limiting per TCP *flow* with Cisco IOS ? There is something called flow-based RED (FRED) but it consumes a whole lot of memory because you have to keep track of lots more state. I don't know about that code. At the least what you can do is use the rate-limit command and rate limit *all* outbound TCP/80 traffic (or for that matter all access-list captured traffic). Now, doing so will make any but the most trivial outbound TCP/80 absolutely painful, and will cause tail drop. See Cathy Wittbrodt's work in this space, which was presented at NANOG some time ago. Note, I'm not saying you should *do* this. It may be going a bit too far for anti-spam. Exactly. If operators as a group would just take the most elementary of steps to decrease spam (along the lines Paul suggested), the effects would be so significant that I think we wouldn't be worrying about HTTP spam traffic (at least for the time being). The fraction of spam traffic that runs over HTTP rather than SMTP is, I suspect, rather small. If anybody has numbers on this, I'd be interested in hearing them one way or the other. -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui msg05427/pgp0.pgp Description: PGP signature
Re: How do you stop outgoing spam?
At 1:51 PM -0400 2002/09/17, Greg A. Woods wrote: No, Dave's second sentence is not true, thus his conclusion is bogus. Dave was talking about normal TCP connections, and I was following the same model. If you're talking about hi-jacking the TCP connection, then you are correct. If you're talking about commercially available product, perhaps However this kind of thing is trivial with basic IPsec gateways and simple filtering ala IP Filter, etc. How many ISPs use IPsec gateways and simple filtering with tools like IP filter? How scalable is this sort of thing? Could AOL do it with dozens or hundreds of OC-48 and OC-96 links? How long would it take to fix all the ISPs in the world that might potentially do transparent proxying of port 25? And where is the intelligence to selectively forward only those connections that are themselves encrypted and authenticated? -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)
Re: How do you stop outgoing spam?
At 11:07 AM -0700 2002/09/17, Scott Francis wrote: Much more complex to implement and manage; doesn't scale well. The fewer decisions the anti-spam system has to make, the better it will work. If it only has to decide whether or not a specific IP/port combination has exceeded a certain threshold, it will run much more smoothly than if it's examining the contents of each packet. Indeed, that will be a lot more scalable. But if you still have to look into each packet to see which ones are link encrypted (and therefore should be left alone) and which ones aren't (and therefore should be transparent proxied and/or traffic-shaped), that is quite a bit more work. The question is how much abuse is too much? Is it okay to allow all open port 25 connections (traffic-shaped to low average bit-rates), or is any abuse too much? -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)
Re: How do you stop outgoing spam?
At 02:11 PM 9/16/2002 -0400, Greg A. Woods wrote: 2. The issue with email is authentication, not privacy. Authentication can be achieved can be achieved easily over port 25, without encryption. Well, no, not securely it can't. You cannot have a secure authenticated service running over a raw TCP circuit across public networks. 1. You are adding to the requirement. No matter how reasonable or advisable, encryption (privacy) is a separate function from authentication. And the rationale for doing port 25 port blocking has to do with accountability, not privacy. 2. Just so there is no confusion, I meant encryption as in privacy (content encryption) rather than as part of an authentication mechanism. 3. SMTPAUTH does not require an alternate port, yet it is sufficient for ensuring accountability. Hence it is sufficient for dealing with the reason that port 25 is blocked, without requiring that it be blocked. Hence, blocking port 25 blocks legitimately validated email, as well as possible spam. Well, yes, but obviously that doesn't matter. This is the real world Dave. Thanks for noticing that. That is why I keep citing the impact on real, mobile users and the implication for such minor opportunities such as wireless hotspots. d/ -- Dave Crocker mailto:[EMAIL PROTECTED] TribalWise, Inc. http://www.tribalwise.com tel +1.408.246.8253; fax +1.408.850.1850
Re: How do you stop outgoing spam?
On Tue, Sep 17, 2002 at 08:29:39PM -0700, Dave Crocker wrote: 3. SMTPAUTH does not require an alternate port, yet it is sufficient for ensuring accountability. Hence it is sufficient for dealing with the reason that port 25 is blocked, without requiring that it be blocked. I don't understand this reasoning. The ISP's justification for blocking 25 except to its own servers is to avoid having its facilities used for abuse. How would the local ISP enforce use of SMTPAUTH to connect to some remote ISP? -- Barney Wolff I'm available by contract or FT: http://www.databus.com/bwresume.pdf
Re: How do you stop outgoing spam?
Fortunately, our founding fathers also gave us not only the right, but the duty and the tools to take the treasonous out and dispose of them when they became a threat to the republic. That time is once again here. At 21:53 9/10/02 -0400, you wrote: Ya know Vadim, with all due respect, some people choose to live on their knees, one govt after another. You do know what happened to HUAC et al don't you? They got their butts thrown out of congress. Sen Joe McCarthy died a lonely, bitter, drunk. Meanwhile, civilization demands of us to use a govt or govt-like entity to run a legal system, not vigilantism.
Re: How do you stop outgoing spam?
At 10:16 AM -0700 2002/09/10, Dave Crocker wrote: Laptop mobile users cannot use their home SMTP server. Depends on the configuration of the SMTP server and the mail server client running on the laptop. With SMTPAUTH and/or TLSSMTP, and using a different (unfiltered) port, this shouldn't be a problem. In other words, by blocking output SMTP, mobile users are hurt badly. Can be. Yup. Think of all the iPass and GRiC customers who don't even know who the local provider is that they're dialing up, so that they can get a network connection? I know that *I* certainly am. Constantly and serously. I'm very sorry to hear this. Maybe we can help you get SMTPAUTH and/or TLSSMTP set up on your server and/or client? -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)
Re: How do you stop outgoing spam?
At 2:37 PM -0400 2002/09/10, Barry Shein wrote: A) Make a clear policy as part of the terms conditions, including a significant clean-up fee + direct charges (e.g., if they ask you or prompt a legal question they can pay the legal fee for you to get it answered.) That's nice to have, but hard to enforce. That is, unless you ask for a large up-front cash deposit. B) KNOW WHO THE HELL YOU'RE GIVING ACCOUNTS TO so that (A) works. Get a credit card or verify the phone number and other info (e.g., call them back, insist on calling them back.) Do you know how many credit cards are out there? Do you know how many of them are fake or stolen? You can't even get a decent charge that you can reliably apply to them, because the bank at the other end will refuse payment from a non-existent or closed account. C) Use (B) to enforce (A). Doesn't work. See above. The problem in 99% of the cases is either (B) or ISPs who just don't care at all. CyberCafe's can't use (B), even if it did work. That would violate their basic premise. -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)
Re: How do you stop outgoing spam?
Brad Knowles wrote: B) KNOW WHO THE HELL YOU'RE GIVING ACCOUNTS TO so that (A) works. Get a credit card or verify the phone number and other info (e.g., call them back, insist on calling them back.) Do you know how many credit cards are out there? Do you know how many of them are fake or stolen? You can't even get a decent charge that you can reliably apply to them, because the bank at the other end will refuse payment from a non-existent or closed account. Then do what hotels do to avoid this problem. When you are given the card number and info, you contact the bank and put a hold on the account for the expecte amount of the bill. When the bill actually comes due, you put the charge through. You know that the charge will succeed because the bank is already holding that amount. If the card is stolen, bogus, overdrawn, etc., then you won't be able to place the hold. In which case, you reject the application. CyberCafe's can't use (B), even if it did work. That would violate their basic premise. What basic premise? Free anonymous access? That's new to me. Every one I've seen charges for access. They can easily require charge cards in advance, and place holds on them, in order to identify stolen cards and criminal users. And once a known-valid card is in hand, it can be used to directly impose penalty charges on those that violate the cafe's AUP (which should exist and have no-spamming/no-hacking clauses.) If customers don't want to use charge cards, they can require a large cash deposit up-front, just like the video rental stores do if you try to get a membership without a charge card. -- David
Re: How do you stop outgoing spam?
On Wed, 11 Sep 2002, Brad Knowles wrote: B) KNOW WHO THE HELL YOU'RE GIVING ACCOUNTS TO so that (A) works. Get a credit card or verify the phone number and other info (e.g., call them back, insist on calling them back.) C) Use (B) to enforce (A). Doesn't work. See above. Back in the day, a reasonable BBS would voice-validate all new users. This meant getting a valid phone number from a new user, and actually calling them back at that number, before activating an account. We started as a BBS giving out Unix shell accounts. Our new user registration screen still says we voice-validate all new accounts, and we do. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Re: How do you stop outgoing spam?
And locking your car, taking the keys, setting the alarm or whatever doesn't guarantee someone won't load it into a soundproof truck. BUT IT HELPS! And having run an ISP for 13 years now I'm here to tell you what I say HELPS. I'm not just making this stuff up, I'm telling you what I know from experience. Spammers et al look for easy marks they don't have to compound their crimes with. As to CyberCafes, I don't know anything about those, never used one, never thought about it, surprised they'd be popular with spammers. -b On September 11, 2002 at 14:12 [EMAIL PROTECTED] (Brad Knowles) wrote: At 2:37 PM -0400 2002/09/10, Barry Shein wrote: A) Make a clear policy as part of the terms conditions, including a significant clean-up fee + direct charges (e.g., if they ask you or prompt a legal question they can pay the legal fee for you to get it answered.) That's nice to have, but hard to enforce. That is, unless you ask for a large up-front cash deposit. B) KNOW WHO THE HELL YOU'RE GIVING ACCOUNTS TO so that (A) works. Get a credit card or verify the phone number and other info (e.g., call them back, insist on calling them back.) Do you know how many credit cards are out there? Do you know how many of them are fake or stolen? You can't even get a decent charge that you can reliably apply to them, because the bank at the other end will refuse payment from a non-existent or closed account. C) Use (B) to enforce (A). Doesn't work. See above. The problem in 99% of the cases is either (B) or ISPs who just don't care at all. CyberCafe's can't use (B), even if it did work. That would violate their basic premise. -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++) -- -Barry Shein Software Tool Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
Re: How do you stop outgoing spam?
On Wed, 11 Sep 2002, David Charlap wrote: Brad Knowles wrote: B) KNOW WHO THE HELL YOU'RE GIVING ACCOUNTS TO so that (A) works. Get a credit card or verify the phone number and other info (e.g., call them back, insist on calling them back.) Do you know how many credit cards are out there? Do you know how many of them are fake or stolen? You can't even get a decent charge that you can reliably apply to them, because the bank at the other end will refuse payment from a non-existent or closed account. Then do what hotels do to avoid this problem. When you are given the card number and info, you contact the bank and put a hold on the account for the expecte amount of the bill. When the bill actually comes due, you put the charge through. You know that the charge will succeed because the bank is already holding that amount. If the card is stolen, bogus, overdrawn, etc., then you won't be able to place the hold. In which case, you reject the application. This actually uses the standard mechanism for credit card transactions, if forget the proper terms but basically what happens is that you apply the charges at point of sale but then the settlement is actually authorised later on in the day, or in the case of not needing payment the charge is revoked. You dont normally notice this in day to day shopping.. The problems are that you need to put an amount through and that will be taken off the card holders credit limit so how much do you want to take? Too little and you've not really secured any cash, too much and you could reduce their available balance too greatly and cause them issues (they overspend!) But ok, your real point is that if the card isnt valid you will get a rejection there and then. But theres a catch to this also in that a lot of credit card fraud these days is done on valid numbers. This occurs quite simply as a result of going in a shop, giving someone your card and they either keep a copy of the number or where they dont get access to the systems can use hand held copiers to read the info off and upload later. These people then pass these perfectly legitimate numbers on.. Steve CyberCafe's can't use (B), even if it did work. That would violate their basic premise. What basic premise? Free anonymous access? That's new to me. Every one I've seen charges for access. They can easily require charge cards in advance, and place holds on them, in order to identify stolen cards and criminal users. And once a known-valid card is in hand, it can be used to directly impose penalty charges on those that violate the cafe's AUP (which should exist and have no-spamming/no-hacking clauses.) If customers don't want to use charge cards, they can require a large cash deposit up-front, just like the video rental stores do if you try to get a membership without a charge card. -- David
Re: How do you stop outgoing spam?
At 1:51 PM -0700 2002/09/10, Eliot Lear wrote: A proposed activity for Portland? Network engineer assisted homocide? Seriously, how about a spam lottery? With payouts that only occur on the death of a known spammer? Of course, you'd have to ensure that the death was accidental, as we would not want to be seen as condoning or encouraging murder. -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)
Re: How do you stop outgoing spam?
At 12:48 PM -0400 2002/09/11, David Charlap wrote: When you are given the card number and info, you contact the bank and put a hold on the account for the expecte amount of the bill. When the bill actually comes due, you put the charge through. You know that the charge will succeed because the bank is already holding that amount. There are plenty of cards that don't properly authorize immediately. You can go ahead and place whatever hold you want or even make whatever charges you want, but a few days later you'll get a charge-back from the holding bank -- the charge was refused by the owner, the card doesn't actually exist, the card has been cancelled, etc They got the service, you theoretically claimed your payment, and then you get screwed. I have a card like this. I've never used it this way, but I have accidentally managed to charge way more stuff on the card than my available credit, and my bank has done charge-backs. If the card is stolen, bogus, overdrawn, etc., then you won't be able to place the hold. In which case, you reject the application. See above. What basic premise? Free anonymous access? No. Anonymous access for a minimal fee. You can't ask people to lay down $500 cash (or whatever your spamming charge is) and expect to stay in business. Every one I've seen charges for access. They can easily require charge cards in advance, and place holds on them, in order to identify stolen cards and criminal users. See above. There are also cards which don't properly authorize immediately, but the other way -- they are valid, the person presenting it really is the legal owner, there is plenty of available credit, but when you try to place a charge or a hold, it is refused. I have another card like this myself. As a CyberCafe operator, how do you deal with a situation where someone has only one card and it won't authorize? If customers don't want to use charge cards, they can require a large cash deposit up-front, How large? How far are you willing to go while you keep losing business? just like the video rental stores do if you try to get a membership without a charge card. Really? I've never seen that kind of behaviour here. -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)
Re: How do you stop outgoing spam?
On Wed, Sep 11, 2002 at 11:56:32PM +0200, Brad Knowles wrote: There are also cards which don't properly authorize immediately, but the other way -- they are valid, the person presenting it really is the legal owner, there is plenty of available credit, but when you try to place a charge or a hold, it is refused. I have another card like this myself. As a CyberCafe operator, how do you deal with a situation where someone has only one card and it won't authorize? Depends on the relative costs. See below. If customers don't want to use charge cards, they can require a large cash deposit up-front, How large? How far are you willing to go while you keep losing business? That depends - how long will you bet able to get an upstream which doesn't cancel your service for failure to deal with the problem? That, more than anything, is the opposite pressure cost - if it costs these places less to allow spam than to prohibit it, because nobody whacks them with an AUP saying your efforts are insufficient, well, they're a business - they'll go with what's cheaper. just like the video rental stores do if you try to get a membership without a charge card. Really? I've never seen that kind of behaviour here. All the time, around here. Summary: as with every other natural resource, 'the commons' are now held under market rule. If it turns a profit to spoil them, it will end up happening. The question is how to make it more costly to permit spam than to deny it. And on that note, it's the same old tune, and is no longer operational. -- *** Joel Baker System Administrator - lightbearer.com [EMAIL PROTECTED] http://users.lightbearer.com/lucifer/
Re: How do you stop outgoing spam?
Eliot Lear wrote: Please be aware that this could have unintended consequences, and should be used in very constrained ways. In particular, there are any number of applications, including VPN applications that use port 80. I would recommend that only specified destinations get such treatment, if you apply it at all. If somebody is ignorant enough to implement IP over HTTP, why should they be accommodated? There are numerous reasons why there are other port numbers to TCP than 80 and other protocol numbers to IP than 6. We could save a lot by eliminating unneccessary headers... Pete
Re: How do you stop outgoing spam?
## On 2002-09-10 10:02 +0300 Petri Helenius typed: PH PH If somebody is ignorant enough to implement IP over HTTP, why should PH they be accommodated? There are numerous reasons why there are other PH port numbers to TCP than 80 and other protocol numbers to IP than 6. Why do you think they're ignorant ? Isn't TCP over HTTP is normally used to attempt bypassing of firewalls ? IMHO Firewall/Security admins are ignorant if they don't take this into account AFAIK you can tunnel IP over(at least): 1) HTTP(not just use port 80 for non HTTP traffic) 2) ICMP ... 3) DNS queries(needs an external custom cooperating DNS) -- Rafi
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002 01:48:57 +0200 (CEST) Iljitsch van Beijnum [EMAIL PROTECTED] wrote: On Mon, 9 Sep 2002, Marshall Eubanks wrote: Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per second ~= 4 kbps. When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book to the local ethernet if at all possible (that's why I like Global Gossip) and use high bit rates (i.e., file transfers) in both direction. Would the uploads be HTTP? That's the only thing I'd want to limit to a few kbps. (Well, and outgoing SMTP to 0 kbps.) When I am at a cafe I use a web based encrypted email program, and if I email a large attachment (say a pdf file), then it goes http outbound. The other major outbound bandwidth use is scp (very rarely, ftp or ssh). I do not really see what the touch typing limit is relevant to - whose primary Internet use is telnet /ssh now-a-days ? Again, when I go to a cafe in another city, I am generally there to get some work done, and frequently have a bunch of previously prepared files to send. I may not be a typical user... Regards Marshall If I was limited to 4 kbps outbound, I would want my money back. Just one customer viewpoint :) Understandable. On the other hand, spammers using internet cafes isn't good either.
Re: How do you stop outgoing spam?
If somebody is ignorant enough to implement IP over HTTP, why should they be accommodated? There are numerous reasons why there are other port numbers to TCP than 80 and other protocol numbers to IP than 6. Unlike some people that immediately jump to conclusions, that someone may be not arrogant, but bright - using port TCP 80 is an excellent way to bypass firewalls. If your firewall performs content analysis, one can simply encode the data in valid HTML code. Alex
Re: How do you stop outgoing spam?
Hi Eliot Maybe I'm missing something obvious but do how you get rate-limiting per TCP *flow* with Cisco IOS ? It is more trouble than its worth. SPAM is not a technical problem. It is a social problem. Using technical methods is not going to solve the problem. In the end, every time we come up with another method of detecting and blocking spam, another method is bypassing this defense is going to show up. Alex
Re: How do you stop outgoing spam?
Rafi Sadowsky wrote: AFAIK you can tunnel IP over(at least): 1) HTTP(not just use port 80 for non HTTP traffic) 2) ICMP ... 3) DNS queries(needs an external custom cooperating DNS) E-mail: http://detached.net/mailtunnel -- David
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002 09:45:19 EDT, [EMAIL PROTECTED] said: It is more trouble than its worth. SPAM is not a technical problem. It is a social problem. Using technical methods is not going to solve the problem. There are two saying that come to mind: You can't solve social problems with technical solutions There are very few inter-personal problems that can't be solved by the suitable application of high explosives Most spam-fighting efforts on the technical side make the basic assumption that spam has similar characteristics to a properly designed TCP stack - that dropped/discarded spam-grams will trigger backoff at the sender. Unfortunately, discarding a high percentage of the grams will trigger a retransmit multiple times. Spam is likely going to be a problem until we either hire some thug muscle from pick ethnic organized crime group, or the government does it for us... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg05279/pgp0.pgp Description: PGP signature
RE: How do you stop outgoing spam?
Okay, I'm going to break my promise, Can anyone document more than one isolated instance, if that, of spammers using North American Cyber Cafes? (This is NANOG) If so, wouldn't appropriate AUP with appropriate fines to the CC the user used for access be a more appropriate sniper rifle shot rather than just shot gunning all your users? As far as 'loading' spam software, any Cyber Café that has the cpu out where Joe User has access and/or hasn't set appropriate user rights preventing software installation or system access, won't be in business very long anyway. Best regards, _ Alan Rowland -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Iljitsch van Beijnum Sent: Monday, September 09, 2002 4:49 PM To: Marshall Eubanks Cc: [EMAIL PROTECTED] Subject: Re: How do you stop outgoing spam? On Mon, 9 Sep 2002, Marshall Eubanks wrote: Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per second ~= 4 kbps. When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book to the local ethernet if at all possible (that's why I like Global Gossip) and use high bit rates (i.e., file transfers) in both direction. Would the uploads be HTTP? That's the only thing I'd want to limit to a few kbps. (Well, and outgoing SMTP to 0 kbps.) If I was limited to 4 kbps outbound, I would want my money back. Just one customer viewpoint :) Understandable. On the other hand, spammers using internet cafes isn't good either.
Re: How do you stop outgoing spam?
Marshall Eubanks wrote: When I am at a cafe I use a web based encrypted email program, and if I email a large attachment (say a pdf file), then it goes http outbound. When I am at a cafe, I eat, drink, and sometimes converse with others. Again, when I go to a cafe in another city, I am generally there to get some work done Again, when I go to a cafe in another city, I am generally there to eat, drink, converse, and soak in the local sights. I might be in Burbank next week on business. We should meet up then. Think you could get me tickets and a VIP backstage tour at the Tonight Show? I'd like to meet with NBC execs and weigh the pros and cons of multicasting your band's performance in PIM Dense vs. Sparse mode. You're a great musician BTW. Tell Jay I said hi. Sal Sabella Get your free encrypted email at https://www.hushmail.com
Re: How do you stop outgoing spam?
Susan, why do your rules not apply to Jane? I realize she's a larger-than-life figure here, but enough is enough. I won my bet with my boss that she would violate AUP at least five (5) times and not get removed from the list. Please read the NANOG FAQ at http://www.nanog.org/aup.html. If there are further hypocrisies on your part, I'll have to ask Brad Knowles for an AOL account to post from. Sal Please do not post personal messages on the NANOG mailing list, which focuses on Internet engineering and operations issues. In my la st message to you I pointed to our AUP: http://www.nanog.org/aup.html If there are further AUP violations on your part, we'll need to remove your posting privileges from the list. Susan Harris, Ph.D. Merit Network/Univ. of Mich. On Tue, 10 Sep 2002 [EMAIL PROTECTED] wrote: Marshall Eubanks wrote: When I am at a cafe I use a web based encrypted email progr am, and if I email a large attachment (say a pdf file), then it goe s http outbound. When I am at a cafe, I eat, drink, and sometimes converse wit h others. Again, when I go to a cafe in another city, I am generally there to get some work done Again, when I go to a cafe in another city, I am generally th ere to eat, drink, converse, and soak in the local sights. I might be in Burbank next week on business. We should meet up then. Think you could get me tickets and a VIP backstage tour at the Tonight Show? I'd like to meet with NBC execs and weigh the pros and cons of multicasting your band's performance in PIM Dense vs. Sparse mode. You're a great musician BTW. Tell Jay I said hi. Sal Sabella Get your free encrypted email at https://www.hushmail.com Get your free encrypted email at https://www.hushmail.com
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002 09:12:15 PDT, Joe St Sauver said: Actually, our experience *does* follow the backoff paradigm: if you block a particular source of spam, that rejection *does* seem to trigger message volume backoff at the source, with only periodic check probes apparently designed to see if the spam source is really still blocked (and of course it really still is). Yes - but since they need to have N replies to their spam to make it worth the effort, they will just pound on somebody ELSE. I saw one quote from a very unapologetic spammer who was complaining that with all these blocks he had to send a lot more spam and his costs were up 1000% as a result. Let's say a spammer needs 100 replies to turn a profit, and 1% of the things that make it into a mailbox get a reply. If nobody blocks spam, then the spammer only needs to send 10K messages before he profits. If 99% of spam is blocked, he has to send a million. That's why we're seeing statistics like receives 2 billion pieces of mail a day and 80% is spam. Think of it like a host with multiple A records - if one A goes down, they *do* stop trying that one, but they then fail to use backoff on the OTHER addresses ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg05286/pgp0.pgp Description: PGP signature
Re: How do you stop outgoing spam?
At 08:20 PM 9/9/2002 +, Paul Vixie wrote: outbound SMTP should be blocked for any dynamic or dialup source within One of the basic problems with discussions about spam control is that it focuses entirely on spam. Blocking output SMTP from individual dial-ups has a serious negative consequence: Laptop mobile users cannot use their home SMTP server. At best, they must reconfigure for each venue -- goodbye wireless hotspot convenience -- and that is IF they know the SMTP server address for the local access. In other words, by blocking output SMTP, mobile users are hurt badly. I know that *I* certainly am. Constantly and serously. d/ -- Dave Crocker mailto:[EMAIL PROTECTED] TribalWise, Inc. http://www.tribalwise.com tel +1.408.246.8253; fax +1.408.850.1850
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002 [EMAIL PROTECTED] wrote: It is more trouble than its worth. SPAM is not a technical problem. It is a social problem. Using technical methods is not going to solve the problem. There are two saying that come to mind: You can't solve social problems with technical solutions That's what happens when you hang around with software engineers too long. They think all problems are solvable. And most problems, especially social ones, aren't: they need to be managed. Sure, you can't stop spam entirely by technical (or other) means, but that's no reason to ignore the problem and run an open relay. There are very few inter-personal problems that can't be solved by the suitable application of high explosives Sounds like a technical solution to me... Spam is likely going to be a problem until we either hire some thug muscle from pick ethnic organized crime group, or the government does it for us... Or we throw out SMTP and adopt a mail protocol that requires the sender to provide some credentials that can't be faked. Then known spammers are easy to blacklist.
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002, Dave Crocker wrote: At 08:20 PM 9/9/2002 +, Paul Vixie wrote: outbound SMTP should be blocked for any dynamic or dialup source within One of the basic problems with discussions about spam control is that it focuses entirely on spam. Blocking output SMTP from individual dial-ups has a serious negative consequence: Laptop mobile users cannot use their home SMTP server. Why are mobile laptop users NOT using ssl/esmtp ? This uses port 587 or 425 or something like that... additionally, it provides authenitcation for the connection. Atleast in small scenarios it works beautifully.
Re: How do you stop outgoing spam?
A twist we saw spammers using on dialup accounts in Miami could come to cyber cafes and could be ugly. They were dialing in and then using the IP address to send spam out some other connection elsewhere where RPF wasn't in use. The return packets all came back on their dialup into us, but bypassed our filters that were then only on outbound packets. Since these were wholesaled dial ports, we know there are no valid servers customers needed in RIPE annd APNIC blocks and in long ACLs blocking various MSN servers, AND we know the dialup user's account. In a free cafe, you know none of that. Having an inbound mirror image of the outbound ACL helped initially, and then a coworker crafted a reflexive access list that really stopped them. Inbound packets had to have matching outbound ones or were tossed. We had visions of their finding a $spam$ friendly ISP that would sell them a SPAM OC-3 as long as he got no spam complaints. It could have served many spam machines running with dynamic IPs from many different ISPs and many user accounts on each - all at once. In the free cyber cafe that does not NAT and that does not know who the users are, there is potential for similar abuse.
Re: How do you stop outgoing spam?
The best way to stop spam from going out of an ISP is to: A) Make a clear policy as part of the terms conditions, including a significant clean-up fee + direct charges (e.g., if they ask you or prompt a legal question they can pay the legal fee for you to get it answered.) B) KNOW WHO THE HELL YOU'RE GIVING ACCOUNTS TO so that (A) works. Get a credit card or verify the phone number and other info (e.g., call them back, insist on calling them back.) C) Use (B) to enforce (A). The problem in 99% of the cases is either (B) or ISPs who just don't care at all. I no longer believe it was a throwaway account is a reasonable excuse except in a rare case where something slipped through the cracks, I understand it can happen. But when a spammer is creating throwaway after throwaway the ISP needs to change their account creation procedures because this information is shared by spammers and they've become a target. -- -Barry Shein Software Tool Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
Re: How do you stop outgoing spam?
On September 9, 2002 at 14:47 [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote: On Mon, 09 Sep 2002 10:37:35 PDT, Al Rowland [EMAIL PROTECTED] said: How many (more) protocols are we willing to cripple in the name of fighting spam? Crippling protocols won't help, in the long run. What will help is the use of a baseball bat, properly applied. Unfortunately, although it would probably be *cheaper* to hire insert ethnic organized crime group to simply whack the cluelessmailers.org list of top 100 offenders, network providers fall into two distinct classes: You've certainly gotten to the heart of the problem, Valdis. The problem is we're up against a new organized crime on the internet in the form of scams and spams. And, although some won't like me saying this, having the technical community deal with these new criminals is a bit like sending the boy scouts after Al-Qaida. Unfortunately it's going to take a much harsher view of reality than maybe this regexp will stop crime. -- -Barry Shein Software Tool Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
RE: How do you stop outgoing spam?
On Tue, 10 Sep 2002, Al Rowland wrote: Can anyone document more than one isolated instance, if that, of spammers using North American Cyber Cafes? (This is NANOG) They usually use copy places like kinko's, or public libraries. Cyber cafes tend to be too conspicuous. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002, Dave Crocker wrote: At 08:20 PM 9/9/2002 +, Paul Vixie wrote: outbound SMTP should be blocked for any dynamic or dialup source within One of the basic problems with discussions about spam control is that it focuses entirely on spam. Blocking output SMTP from individual dial-ups has a serious negative consequence: Laptop mobile users cannot use their home SMTP server. I don't think Paul meant to say blocked as in 'connection refused', I think he meant that they should be redirected to a local machine that will happily send their mail (with reasonable limits on number of recipients per arbitrary time period, which all of your mail servers should have anyway). Andy Andy Dills 301-682-9972 Xecunet, LLCwww.xecu.net Dialup * Webhosting * E-Commerce * High-Speed Access
Re: How do you stop outgoing spam?
and bypassing firewalls is an excellent way to get into BIG trouble with whomever is running the firewall. It is irrelevant how ignorant that person might be about the traffic which passes through their firewall. I'm sure if they were only slightly less ignorant they'd run a strict HTTP gateway on port 80 of their firewall and then you'd be stuck wrappging everything up to look like proper HTTP in order to bypass their firewall. It is better that you learn to negotiate the access you need than to have to resort to using covert channels which could get you busted. Steno is a great thing, so it wont get anyone busted. Alex
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002 19:18:59 +0200, Iljitsch van Beijnum said: Or we throw out SMTP and adopt a mail protocol that requires the sender to provide some credentials that can't be faked. Then known spammers are easy to blacklist. It's nice to say we make it easy to blacklist spammers. The problem is that those systems that *HAVE* made it easy to blacklist spammers are *ALWAYS* taking heat for making it easy - remember how ORBS was held in little high regard? And even the MAPS people have had their share of legal hassles. We don't even have to throw out SMTP - there's STARTTLS, AUTH, PGP, and so on. The problem is that we don't know how to do a PKI that will scale (note that the current SSL certificate scheme isn't sufficient, as it usually does a really poor job of handling CRLs - and the *lack* of ability to distribute a CRL (which is essentially a blacklist) is the crux of the problem. There's also the problem of distributing valid credentials to half a billion people - while still preventing spammers from getting any. The DMV hasn't learned how to keep *teenagers* from getting fake ID's, why should we expect to do any better in keeping a motivated criminal from getting a fake credential? It's not as easy as it looks. As Bruce Schneier talked about in Secrets and Lies, where he does a hypothetical threat analysis regarding getting dinner in a restaurant without paying, most of the attacks actually have nothing to do with the part of the transaction where money changes hands... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg05297/pgp0.pgp Description: PGP signature
Re: How do you stop outgoing spam?
Point of information: Can you really distinguish all this intentionality vs. the spammer just changing which relay to rape? Perhaps because the raped relay was shut down or secured when the owner found out what was going on? Or the spammer just switching relays to rape for no specific reason other than they seem to go bad after a few hours so use one for a while (perhaps a batch of addresses to spam) and then switch to the next in the list? On September 10, 2002 at 09:12 [EMAIL PROTECTED] (Joe St Sauver) wrote: Actually, our experience *does* follow the backoff paradigm: if you block a particular source of spam, that rejection *does* seem to trigger message volume backoff at the source, with only periodic check probes apparently designed to see if the spam source is really still blocked (and of course it really still is). Now it is true that in many cases the spammer *will* do a set of probes in an effort to see just how broad a given block is (e.g., is it just a /32 that's being blocked? is it my entire netblock? is it a domain based filter? can I slide in via an open SMTP relay or an abusable proxy server?), but at least here at the U of O, we're NOT seeing spammers waste their time attempting delivery of hundreds or thousands of messages per day via hosts that have been identified and filtered. Regards, Joe -- -Barry Shein Software Tool Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
Re: How do you stop outgoing spam?
On September 10, 2002 at 10:16 [EMAIL PROTECTED] (Dave Crocker) wrote: At 08:20 PM 9/9/2002 +, Paul Vixie wrote: outbound SMTP should be blocked for any dynamic or dialup source within One of the basic problems with discussions about spam control is that it focuses entirely on spam. Blocking output SMTP from individual dial-ups has a serious negative consequence: Yeah, well, too late, that battle was fought and settled years ago. The spammers are driving the standards at this point, not reasonable people trying to make things work. Ultimately that's one of my big problems with spammers, they're like termites in the RFCs quietly chewing away at both the letter and intent. At this point your easy-to-agree-with point is kinda like saying I pay taxes, I damned well ought to be able to walk any street in any city at any time of the day or night and be safe! nice sentiment, but unfortunately no longer realistic, not where the criminals are in charge. -- -Barry Shein Software Tool Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
Re: How do you stop outgoing spam?
One of the basic problems with discussions about spam control is that it focuses entirely on spam. Blocking output SMTP from individual dial-ups has a serious negative consequence: Laptop mobile users cannot use their home SMTP server. in the business, we call this tough noogies. At best, they must reconfigure for each venue -- goodbye wireless hotspot convenience -- and that is IF they know the SMTP server address for the local access. i've gotten very good mileage out of ssl-smtp, and out of port forwarding so that my laptop uses 127.0.0.1:25 for outbound mail, which is actually a (ssh-borne) tunnel to my home smtp server. In other words, by blocking output SMTP, mobile users are hurt badly. I know that *I* certainly am. Constantly and serously. yes. let me take this opportunity to thank you for your significant contributions to smtp and of course rfc822. i'm sorry that you have to be hurt now. but the design calls for a polite population, and while that was true of the internet in 1983, it is absolutely not true today. the nonpolite nature of the overall population means that you will have to be hurt and you will have to change how you use mail in order to make the pain stop. there's a slight choice on the pain menu -- you can have (A) an unusable mail system clogged with unwanted traffic such as spam and viruses, or (B) a barely-usable mail system where everything you want to do is less convenient because you have to use ssl-smtp and ssh tunnels. either way you have to be hurt now. and that saddens me, it really does.
RE: How do you stop outgoing spam?
Steganography looked great in that hollywood movie Along Came a Spider with Morgan Freeman (or at least the 'screen friendly' version they portrayed) but a recent study of millions of graphics across USENET found zero steganographic images. Great theory, no examples found in the wild, other than in Hollywood scripts and some folk trading porn of the type not usually posted to the public Internet. Anyone interested my try: http://www.earthweb.com/article/0,,10456_624101,00.html Just my 2¢. Best regards, _ Alan Rowland -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 10, 2002 12:15 PM To: Greg A. Woods Cc: [EMAIL PROTECTED] Subject: Re: How do you stop outgoing spam? and bypassing firewalls is an excellent way to get into BIG trouble with whomever is running the firewall. It is irrelevant how ignorant that person might be about the traffic which passes through their firewall. I'm sure if they were only slightly less ignorant they'd run a strict HTTP gateway on port 80 of their firewall and then you'd be stuck wrappging everything up to look like proper HTTP in order to bypass their firewall. It is better that you learn to negotiate the access you need than to have to resort to using covert channels which could get you busted. Steno is a great thing, so it wont get anyone busted. Alex
RE: How do you stop outgoing spam?
Steganography looked great in that hollywood movie Along Came a Spider with Morgan Freeman (or at least the 'screen friendly' version they portrayed) but a recent study of millions of graphics across USENET found zero steganographic images. Great theory, no examples found in the wild, other than in Hollywood scripts and some folk trading porn of the type not usually posted to the public Internet. Steno principals are alive and well. Covert channel transmissions are alive and well. Both were used to bypass compartmentalization on a certain secure OS. If anyone needs to encode data in valid HTML to tunnel it through a firewall, it *will* be done. Several years ago, we had implementations of telnet over email, I am sure modifying it to do telnet over HTML would be a rather trivial task. Alex
Re: How do you stop outgoing spam?
[EMAIL PROTECTED] (Barton F Bruce) writes: A twist we saw spammers using on dialup accounts in Miami could come to cyber cafes and could be ugly. They were dialing in and then using the IP address to send spam out some other connection elsewhere where RPF wasn't in use. The return packets all came back on their dialup into us, but bypassed our filters that were then only on outbound packets. this has been going on for some time. the example you gave of an OC3 used for outbound-only tcp streams is noncontrived and has been seen more than twice. it's been a year or so, so i'll renew my question. is anybody, anywhere, including as a term of their peering agreement things like must have a responsive abuse@ mailbox and act credibly to prevent spammers from becoming or remaining customers or must filter both bgp advertisements and ip source addresses from all customers, and require them to do likewise? and if not, why not, and how long do you think it's going to take before we use economic methods to solve this scourge? -- Paul Vixie
Re: How do you stop outgoing spam?
On Tue, Sep 10, 2002 at 12:45:01PM -0700, Al Rowland wrote: Steganography looked great in that hollywood movie Along Came a Spider with Morgan Freeman (or at least the 'screen friendly' version they portrayed) but a recent study of millions of graphics across USENET found zero steganographic images. Great theory, no examples found in the wild, other than in Hollywood scripts and some folk trading porn of the type not usually posted to the public Internet. I was going to stay out of this one, but then this came along. It is trivially easy to encrypt, transpose, or otherwise bury the message inside an image, or what have you. If I use a PRNG, prearrangement, or some other selection method to decide which bytes, or which files, or some combination of both will receive a chunk of the data to be hidden, and then encrypt it with a decent enough algorithm, it will not be easy to determine there is something there at all, particularly in a medium like USENET where lots and lots of large binary postings are common. Just because someone ran through a pile of images using jpegv4 with the jsteg patches, or some similar commercial application, does not mean it wasn't there -- it just means it wasn't obviously there. I myself have encrypted my PGP key's revocation certificates and buried them in some images on a website as a fallback storage method. Is it widely used? Probably not. Is it safe to say it's not being used on the basis of a quick check with an off the shelf utility or two? No. --msa
Re: How do you stop outgoing spam?
On Tue, Sep 10, 2002 at 12:45:01PM -0700, Al Rowland wrote: Steganography looked great in that hollywood movie Along Came a Spider with Morgan Freeman (or at least the 'screen friendly' version they portrayed) but a recent study of millions of graphics across USENET found zero steganographic images. Great theory, no examples found in the wild, other than in Hollywood scripts and some folk trading porn of the type not usually posted to the public Internet. Well, I wouldn't say that. There is an EXTENSIVE trade of some unknown data going to and from Asia (primarily Japan and China) through various forms of steganography in jpg png and gif images on free web hosting services. I can personally account for over 5Gbps (every day) of this traffic just from people I know, which I would hardly consider to be everyone. I've managed to reconstruct the data from pieces of scripts they have accidentally left behind, and come up with encrypted .zip files. Left a zip cracker running on a 1GHz machine for a couple months and came up with no results. I'm not gonna take any guesses as to the content, but I can tell you that they are very diversified, very persistant (you filter one route or transit path and they'll have moved to another within hours), and very innovative in hiding the data so that you can't detect what they're doing short of looking at every picture. -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Re: How do you stop outgoing spam?
## On 2002-09-10 09:45 -0400 [EMAIL PROTECTED] typed: Hi Eliot Maybe I'm missing something obvious but do how you get rate-limiting per TCP *flow* with Cisco IOS ? It is more trouble than its worth. IMHO there are other problems beside SPAM that can use per flow shaping/rate-limiting SPAM is not a technical problem. It is a social problem. Using technical methods is not going to solve the problem. In the end, every time we come up with another method of detecting and blocking spam, another method is bypassing this defense is going to show up. How about using a combination of technical and social measures For example in a Cyber Cafe use passive technical measures to count the total number of outbound SMTP sessions and charge 1$ per Email over an average rate of 2 Emails/minute and 10$ per Email exceeding a rate of 10 per minute Alex -- Rafi
Re: How do you stop outgoing spam?
herecy Or unless we design a network which does not rely on good will of its users for proper operation. /herecy --vadim On Tue, 10 Sep 2002 [EMAIL PROTECTED] wrote: Most spam-fighting efforts on the technical side make the basic assumption that spam has similar characteristics to a properly designed TCP stack - that dropped/discarded spam-grams will trigger backoff at the sender. Unfortunately, discarding a high percentage of the grams will trigger a retransmit multiple times. Spam is likely going to be a problem until we either hire some thug muscle from pick ethnic organized crime group, or the government does it for us...
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002, Iljitsch van Beijnum wrote: Or we throw out SMTP and adopt a mail protocol that requires the sender to provide some credentials that can't be faked. Then known spammers are easy to blacklist. The credentials that can't be faked is a rather hard to implement concept. Simply because there's no way to impose a single authority on the entire world. The question is whom to trust to certify the sender's authenticity? I have correspondents in parts of the world where I'd be very reluctant to trust proper authorities. I'd be so very easy to silence anyone by _not_ issuing credentials. Besides, anonymous communication has its merits. So what's needed is zero-knowledge authentication and Web-of-trust model. And don't forget key revocation and detection of fake identity factories. Messy, messy, messy. --vadim
RE: How do you stop outgoing spam?
Rafi Sadowsky wrote: How about using a combination of technical and social measures For example in a Cyber Cafe use passive technical measures to count the total number of outbound SMTP sessions and charge 1$ per Email over an average rate of 2 Emails/minute and 10$ per Email exceeding a rate of 10 per minute So the person who connects after sitting on a plane for 5 hours gets charged extra because the laptop bursts 50 messages ... There is no automated technical approach to a social problem. Public executions would be much more effective than preventing legitimate customers from getting their job done. Tony
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002 [EMAIL PROTECTED] wrote: We don't even have to throw out SMTP - there's STARTTLS, AUTH, PGP, and so on. The problem is that we don't know how to do a PKI that will scale (note that the current SSL certificate scheme isn't sufficient, as it usually does a really poor job of handling CRLs - and the *lack* of ability to distribute a CRL (which is essentially a blacklist) is the crux of the problem. So let everyone have their own. If you want to send me email, create a certificate for yourself. Then before you can actually tranfser messages, your system asks permission to do so, my system sends back a challenge to yours so I'm sure you haven't faked your reply address and your certificate is whitelisted. If you spam me, I can blacklist your certificate, your email address or your domain. If I handle mail for many users, I can apply some heuristics: new certificates/domains only get to send a small number of messages per hour initially or something similar. It's not as easy as it looks. Granted, but it's also not so hard we can't improve on a 20 year old protocol. As (nearly) always, the problem is backward compatibility. That makes it next to impossible to get something useful off the ground.
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002, Barry Shein wrote: And, although some won't like me saying this, having the technical community deal with these new criminals is a bit like sending the boy scouts after Al-Qaida. Unfortunately it's going to take a much harsher view of reality than maybe this regexp will stop crime. Last time I checked policemen weren't designing door locks. Not even in business of selling them. What we have is a lot of open doors having prominent signs come in and take whatever you please on them. This can and should be fixed by the technical community. US is not going to send troops to Nigeria just to catch some spammers anyway. Consider that a harsher view of reality :) --vadim PS. Criminals are criminals because they are stupid. If they were smart they could make good living legally. Governments avoid competition, too.
Re: How do you stop outgoing spam?
Tony Hain wrote: Public executions would be much more effective than preventing legitimate customers from getting their job done. A proposed activity for Portland? Network engineer assisted homocide? ;-)
Re: How do you stop outgoing spam?
Well, it's clear that the real point I was trying to make was entirely missed by everyone, so let me try again. Dealing with problems, by focusing on absolute outbound port control, restricts legitimate use, as well as problematic use. For a group that is largely dominated by libertarian thinking, opting for blanket, outbound port control is odd. Very odd. Security mechanisms can choose between a default-yes or a default-no mode. Choosing to restrict outbound ports is a default-no. Think of this as the difference between democracy and totalitarianism. You get to do things until you try to do something wrong, versus you are not allowed to do anything until you first prove that it is ok. Spamming is a serious problem, and it needs serious responses, but we need to be very careful that dealing with the problem does not kill the net. At 03:34 PM 9/10/2002 -0400, Barry Shein wrote: On September 10, 2002 at 10:16 [EMAIL PROTECTED] (Dave Crocker) wrote: One of the basic problems with discussions about spam control is that it focuses entirely on spam. Blocking output SMTP from individual dial-ups has a serious negative consequence: Yeah, well, too late, that battle was fought and settled years ago. The spammers are driving the standards at this point, not reasonable people trying to make things work. There are no standards for these practises. There are component mechanisms, but no integrated solution that is documented in a standard. That's part of the problem. In reality what is being done is entirely ad hoc and inconsistent. Otherwise we could at least know what will work for all conforming sites. And we could migrate everyone over to it. And, again, let me stress that I am not saying spamming isn't a problem. But rather that dealing with spamming simplistically carries very serious side-effects. At this point your easy-to-agree-with point is kinda like saying I pay taxes, I damned well ought to be able to walk any street in any city at any time of the day or night and be safe! No. It is like saying that because there is some street crime, in some places, let's make it illegal to walk anywhere, ever. And it is like saying that because some people make obscene phone calls, all phone calls will now be monitored. That really is what these blanket outbound controls are like. At 07:40 PM 9/10/2002 +, Paul Vixie wrote: Laptop mobile users cannot use their home SMTP server. in the business, we call this tough noogies. I had hoped that my reference to wireless hot-spot implications would make the scale and import of this approach adequately clear. That it does not nicely demonstrates why techies must not be in charge of a business that makes any claim to serving their customers. Broad-sweep, large-scale crippling of legitimate activity is not a realistic way to deal with a problem, even one as serious as spam. At best, they must reconfigure for each venue -- goodbye wireless hotspot convenience -- and that is IF they know the SMTP server address for the local access. i've gotten very good mileage out of ssl-smtp, and out of port forwarding so that my laptop uses 127.0.0.1:25 for outbound mail, which is actually a (ssh-borne) tunnel to my home smtp server. There are always technical solutions that techies can follow. A more relevant question is what it will take for 100 million average users. As everyone on this list knows, the Internet is about scaling. So it is entirely irrelevant what any one of the people on this list can do to make things work. It is ONLY relevant what the impact is on 100 million other folks. Folks who are not sysadmins. Folks who cannot constantly reconfigure their systems. And ultimately it does not matter that a particular hack can be propagated, such as mapping 25 to a local ssl redirect. What matters is that the model that leads to that hack is broken even worse than spamming, because it says that the way to respond to a problem by some folks is to block all folks. Today, port 25. Tomorrow -- and in some places, today -- all ports except a precious few and even those are mediated. be hurt now. but the design calls for a polite population, and while that was true of the internet in 1983, it is absolutely not true today. Since I never said anything against adding security mechanisms, I'll just assume that you missed my point. In order not to bog down too far on that point, let me just ask: And the BCP that specifies the correct set of technologies, configurations, and use is...? However the danger of going down this path is to miss the larger point about the problem with wholesale outbound port blocking. d/ -- Dave Crocker mailto:[EMAIL PROTECTED] TribalWise, Inc. http://www.tribalwise.com tel +1.408.246.8253; fax +1.408.850.1850
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002, Barry Shein wrote: A problem with spam is not only aren't you likely to get caught, it's not even generally agreed to be illegal. Worse yet, even in cases of clear criminal violations (eg relay rape, forgery, scams, death threats), it goes unprosecuted -- even when its trivial to track down the offenders. And you would not BELIEVE the effort it takes to get the US military to close their open relays (not to mention close their smurf amps and shut down their rooted boxes). Fully half the fault and responsibility for the current state of affairs lies with providers who are unwilling to take any action to shut down well known spammers and abusers. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: How do you stop outgoing spam?
Rafi Sadowsky [EMAIL PROTECTED] wrote: How about using a combination of technical and social measures. How about nuking their DNS (providing they use DNS and not a URL with an IP address) from the face of the planet making sure they can't re-register it with any registrar? I know it gives them another hoop to jump through, but the jumping will keep them from spamming for a bit. Tim
Re: How do you stop outgoing spam?
On September 10, 2002 at 14:20 [EMAIL PROTECTED] (Dave Crocker) wrote: Well, it's clear that the real point I was trying to make was entirely missed by everyone, so let me try again. Dealing with problems, by focusing on absolute outbound port control, restricts legitimate use, as well as problematic use. For a group that is largely dominated by libertarian thinking, opting for blanket, outbound port control is odd. Very odd. I think we do understand very well. In a nutshell: We're hosed. Everyone is running around willy-nilly doing things like blocking outbound port servers, analyzing mail headers which were never meant to be analyzed, doing full body text searching against hundreds of regexp patterns, blocking hundreds if not thousands of IP addresses and entire (CIDR forgive me) nets, etc. At this point your easy-to-agree-with point is kinda like saying I pay taxes, I damned well ought to be able to walk any street in any city at any time of the day or night and be safe! No. It is like saying that because there is some street crime, in some places, let's make it illegal to walk anywhere, ever. The word for this is curfew and it's not unusual in troubled areas. And it is like saying that because some people make obscene phone calls, all phone calls will now be monitored. All phone calls are potentially monitorable because of problems like this. etc etc etc let's not quibble the analogies too much. My point is that we are now in a high crime zone, and what the laws (standards) say are becoming less and less influential versus frantic attempts to stop crime (spam.) You can't have law without order. Put another way, if no one will (or can) enforce the law such that order prevails people will just do what they have to. This often results in chaos. 1. Outlaws running crazy in the streets, drunk, raping, looting, tipping badly, etc. 2. Citizens meet in the church, yell at the sheriff, sheriff shrugs shoulders, bunch of men grab rifles and march out to confront outlaws themselves. 3. Massacre, vigilantes shoot each other, other honest townspeople, criminals laugh hysterically and vow to get drunker and have more fun (Dave, you've come in just about here.) 4. New sheriff comes into town, scares the crap out of everyone because he's so mean. Threatens to hang any citizen who takes law into own hands, etc. 5. New sheriff cleverly thwarts criminals while citizenry cowers behind closed doors and drawn curtains. 6. Law and order is restored, townspeople tearfully beg new sheriff to stay. Sheriff sneers, rides into sunset, next time you have to do it for yourselves. 7. Haunting tune whistled, credits roll. -- -Barry Shein Software Tool Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
Re: How do you stop outgoing spam?
On September 10, 2002 at 14:41 [EMAIL PROTECTED] (Dan Hollis) wrote: On Tue, 10 Sep 2002, Barry Shein wrote: A problem with spam is not only aren't you likely to get caught, it's not even generally agreed to be illegal. ...some stuff snipped... Fully half the fault and responsibility for the current state of affairs lies with providers who are unwilling to take any action to shut down well known spammers and abusers. But much of that goes back to spamming not being clearly illegal, in two ways: 1. Some just take the attitude that if it's not illegal then it's ok, ignorable even if obnoxious behavior. No doubt the fact that it's paying customers doing the spamming in some cases colors this view. For others it's probably just overworked, yet another distraction. 2. Some others take the attitude that if it's not illegal they're taking a chance (of lawsuit etc) if they shut someone down. Unless of course they have clear TC's, but no matter how you write them some obnoxious, agressive, pond-scum can try to dispute that it applies to them. Been there, done that. Unless you do something nice and transparent like you get 5 complaints per month free, the rest cost you $100/each. -- -Barry Shein Software Tool Die| [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202| Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002, Barry Shein wrote: 2. Some others take the attitude that if it's not illegal they're taking a chance (of lawsuit etc) if they shut someone down. But they often dont shut abusers down even when the activity IS illegal (eg flooding attacks, rooting boxes, scanning and dictionary attacks, criminal trespass relay rape, etc.) Unless of course they have clear TC's, but no matter how you write them some obnoxious, agressive, pond-scum can try to dispute that it applies to them. Been there, done that. Or companies which dont enforce them (eg exodus) even when its criminal trespass... -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Re: How do you stop outgoing spam?
Ya know Vadim, with all due respect, some people choose to live on their knees, one govt after another. You do know what happened to HUAC et al don't you? They got their butts thrown out of congress. Sen Joe McCarthy died a lonely, bitter, drunk. Meanwhile, civilization demands of us to use a govt or govt-like entity to run a legal system, not vigilantism. -b On September 10, 2002 at 18:29 [EMAIL PROTECTED] (Vadim Antonov) wrote: Some of us came from places where the new sheriff came and stayed. And because just scaring didn't work after some time, he proceeded to hang and hang and hang, murdering millions just to keep the rest properly scared. When someone gets power he's quite unlikely to part with it on his own. Harsher view of the reality, if you wish. Or, rather, real life experience. Calling on government to come and fix problems which can conceivably be fixed without it is a surefire way to get more sheriffs on your neck. HUAC[*] reading your e-mail to determine if it contains loathed un-american terrorist-sponsoring spam. With Ashcroft being in charge of grilling spammers. Or whomever he declared an enemy today. Be careful with what you wish. Your wish may be granted. --vadim [*] House Un-American Activities Commitee.
Re: How do you stop outgoing spam?
At 09:53 PM 9/10/2002 -0400, Barry Shein wrote: You do know what happened to HUAC et al don't you? They got their butts thrown out of congress. Sen Joe McCarthy died a lonely, bitter, drunk. barry, look around and what's been happening over the last year. he's popular again. d/ -- Dave Crocker mailto:[EMAIL PROTECTED] TribalWise, Inc. http://www.tribalwise.com tel +1.408.246.8253; fax +1.408.850.1850
Re: How do you stop outgoing spam?
On Mon, 9 Sep 2002, Hank Nussbacher wrote: The spamming is usually done (but not only) from an Internet cafe where the spammer inserts a spammer CD and blasts away at open mail relays. When SMTP is blocked for that IP, they switch to HTTP and send the spam via MSN, Yahoo, Hotmail, Kukamail, Outblaze, Safe-mail, etc. to name just a few. Blocking port 80 is harder since it requires maintaining an ever larger list of free public web based mail systems or just block port 80 entirely. You could traffic shape or rate limit the traffic towards port 80 to a few kbps for each IP address that might be used for spamming. If you allow small bursts (10 - 50k) this should be just fine for regular web access, since for that outgoing traffic is minimal: just the HTTP requests and ACKs. However, it will slow down spamming to at most a couple dozen spams per minute after the first few that fill up the configured burst size. I imagine this will make the spammers move on to greener pastures.
Re: How do you stop outgoing spam?
On Mon, 9 Sep 2002, Iljitsch van Beijnum wrote: Looking for automatic off-the-shelf solution. Not something that requires a NOC to constantly update a Cisco ACL. -Hank On Mon, 9 Sep 2002, Hank Nussbacher wrote: The spamming is usually done (but not only) from an Internet cafe where the spammer inserts a spammer CD and blasts away at open mail relays.When SMTP is blocked for that IP, they switch to HTTP and send the spam via MSN, Yahoo, Hotmail, Kukamail, Outblaze, Safe-mail, etc. to name just a few.Blocking port 80 is harder since it requires maintaining an ever larger list of free public web based mail systems or just block port 80 entirely. You could traffic shape or rate limit the traffic towards port 80 to a few kbps for each IP address that might be used for spamming. If you allow small bursts (10 - 50k) this should be just fine for regular web access, since for that outgoing traffic is minimal: just the HTTP requests and ACKs. However, it will slow down spamming to at most a couple dozen spams per minute after the first few that fill up the configured burst size. I imagine this will make the spammers move on to greener pastures. Hank Nussbacher
Re: How do you stop outgoing spam?
How do you determin what is spam ? Not trying to be difficult or start another bloody thread. It would seem to me that in order to create an off the shelf non NOC-updating solution, you would have to beable to define what is spam and then you could detect it. The only thing that comes to this feeble mind is something ala Snort, with a rule set that will catch most common finger prints of spam. The IDS would then have to trigger something to drop packets and alert the NOC. I guess if you treat it as an Intruder you might be closer at achieving your goals. just an idea. john brown On Mon, Sep 09, 2002 at 12:17:08PM +0300, Hank Nussbacher wrote: Please try to keep this discussion technical and not diverge to opinions. I am not looking for opinions or religion. I am trying to find automated tools/systems/boxes that will stop spam from going *out* from an ISP. The ISP has no servers and allocates IP address space to downstream customers who spam. Yes, I know all about ACLs to block offending IPs. The ISP is willing to buy any box or system to stop outgoing spams and thereby stop constantly playing with ACLs. The spamming is usually done (but not only) from an Internet cafe where the spammer inserts a spammer CD and blasts away at open mail relays. When SMTP is blocked for that IP, they switch to HTTP and send the spam via MSN, Yahoo, Hotmail, Kukamail, Outblaze, Safe-mail, etc. to name just a few. Blocking port 80 is harder since it requires maintaining an ever larger list of free public web based mail systems or just block port 80 entirely. Technical solutions welcome. Thanks, Hank
RE: How do you stop outgoing spam?
Kinda breaks broadband streaming audio/video in a Java/other web applet though...among other things. Best regards, _ Alan Rowland -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Iljitsch van Beijnum Sent: Monday, September 09, 2002 3:50 AM To: Hank Nussbacher Cc: [EMAIL PROTECTED] Subject: Re: How do you stop outgoing spam? On Mon, 9 Sep 2002, Hank Nussbacher wrote: The spamming is usually done (but not only) from an Internet cafe where the spammer inserts a spammer CD and blasts away at open mail relays. When SMTP is blocked for that IP, they switch to HTTP and send the spam via MSN, Yahoo, Hotmail, Kukamail, Outblaze, Safe-mail, etc. to name just a few. Blocking port 80 is harder since it requires maintaining an ever larger list of free public web based mail systems or just block port 80 entirely. You could traffic shape or rate limit the traffic towards port 80 to a few kbps for each IP address that might be used for spamming. If you allow small bursts (10 - 50k) this should be just fine for regular web access, since for that outgoing traffic is minimal: just the HTTP requests and ACKs. However, it will slow down spamming to at most a couple dozen spams per minute after the first few that fill up the configured burst size. I imagine this will make the spammers move on to greener pastures.
Re: How do you stop outgoing spam?
On Mon, 9 Sep 2002, Hank Nussbacher wrote: Looking for automatic off-the-shelf solution. Not something that requires a NOC to constantly update a Cisco ACL. Correct me if I'm wrong, but the web (ok, most of it) has been running on TCP port 80 for quite a while now. So if you limit outgoing TCP packets to port 80 (and probably some variations, such as HTTP+SSL) to a few kbps, regardless of their destination, you don't hurt legitimate users except some very rare cases such as HTTP uploads but you make life less fun for spammers.
Re: How do you stop outgoing spam?
On Mon, Sep 09, 2002 at 08:24:19PM +0300, Hank Nussbacher wrote: On Mon, 9 Sep 2002, Iljitsch van Beijnum wrote: Looking for automatic off-the-shelf solution. Not something that requires a NOC to constantly update a Cisco ACL. PLEASE don't take this as an opportunity to start another spam thread (lest you find members of nanog testing out their theories from the blowing up the internet thread on your connection), but: Redirect all outgoing port 25 connections to your mail servers, and pipe all the messages through spamassassin (note: scalability not included). -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
RE: How do you stop outgoing spam?
On Mon, 9 Sep 2002, Al Rowland wrote: Final comment on this subject (I promise) :) How many (more) protocols are we willing to cripple in the name of fighting spam? Obviously the crippled protocol here is SMTP, because it allows pretty much everything. As a rule, I'm against solving application problems at the network layer, but in this specific case (internet cafe) this specific solution (rate limiting/traffic shaping for traffic to HTTP servers) seems reasonable.
Re: How do you stop outgoing spam?
On Mon, 09 Sep 2002 10:37:35 PDT, Al Rowland [EMAIL PROTECTED] said: How many (more) protocols are we willing to cripple in the name of fighting spam? Crippling protocols won't help, in the long run. What will help is the use of a baseball bat, properly applied. Unfortunately, although it would probably be *cheaper* to hire insert ethnic organized crime group to simply whack the cluelessmailers.org list of top 100 offenders, network providers fall into two distinct classes: 1) Companies with *some* sense of morals/conscience - they won't do that sort of thing. 2) Companies that *would* stoop so low - they won't do it either because that would be attacking their own revenue stream. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg05248/pgp0.pgp Description: PGP signature
RE: How do you stop outgoing spam?
At 10:18 AM -0700 2002/09/09, Al Rowland wrote: Kinda breaks broadband streaming audio/video in a Java/other web applet though...among other things. No, the traffic budget is on upstream traffic, not downstream. Stream content all you want, but don't try to generate too much upstream traffic or you get your bandwidth severely curtailed. -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)
Re: How do you stop outgoing spam?
At 10:08 AM -0700 2002/09/09, John M. Brown wrote: How do you determin what is spam ? Not trying to be difficult or start another bloody thread. It would seem to me that in order to create an off the shelf non NOC-updating solution, you would have to beable to define what is spam and then you could detect it. You could transparently proxy port 25 for all outgoing traffic, and then run spamassassin on that machine (collection of machines). You could do a slightly modified version to look at the traffic on port 80. Not only would you be looking for standard spam keywords, but you would also be looking at spam reports from other people (e.g., Vipul's Razor), so this should continue to adapt as the spam attacks change. However, I also like the idea of doing a bandwidth budget on a per machine basis, with short term bursts allowing for most normal activity. -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)
Re: How do you stop outgoing spam?
Brad == Brad Knowles [EMAIL PROTECTED] writes: Brad No, the traffic budget is on upstream traffic, not Brad downstream. Stream content all you want, but don't try to Brad generate too much upstream traffic or you get your bandwidth Brad severely curtailed. good consumer... don't try to talk. just watch the propaganda...
Re: How do you stop outgoing spam?
At 6:06 PM -0400 2002/09/09, William Waites wrote: BradNo, the traffic budget is on upstream traffic, not Brad downstream. Stream content all you want, but don't try to Brad generate too much upstream traffic or you get your bandwidth Brad severely curtailed. good consumer... don't try to talk. just watch the propaganda... Yeah, well. For Internet cafe's, this is probably a fairly reasonable assumption. -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002, Brad Knowles wrote: Brad No, the traffic budget is on upstream traffic, not Brad downstream. Stream content all you want, but don't try to Brad generate too much upstream traffic or you get your bandwidth Brad severely curtailed. [The whole thing about port 80 upstream bandwidth limitations getting in the way of streaming audio/video sounds like nonsense to me, since this usually doesn't go _to_ TCP port 80, even flowing _from_ TCP port 80 is something I haven't seen this century.] good consumer... don't try to talk. just watch the propaganda... Yeah, well. For Internet cafe's, this is probably a fairly reasonable assumption. Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per second ~= 4 kbps.
Re: How do you stop outgoing spam?
On Tue, 10 Sep 2002 00:41:09 +0200 (CEST) Iljitsch van Beijnum [EMAIL PROTECTED] wrote: On Tue, 10 Sep 2002, Brad Knowles wrote: BradNo, the traffic budget is on upstream traffic, not Brad downstream. Stream content all you want, but don't try to Brad generate too much upstream traffic or you get your bandwidth Brad severely curtailed. [The whole thing about port 80 upstream bandwidth limitations getting in the way of streaming audio/video sounds like nonsense to me, since this usually doesn't go _to_ TCP port 80, even flowing _from_ TCP port 80 is something I haven't seen this century.] good consumer... don't try to talk. just watch the propaganda... Yeah, well. For Internet cafe's, this is probably a fairly reasonable assumption. Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per second ~= 4 kbps. When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book to the local ethernet if at all possible (that's why I like Global Gossip) and use high bit rates (i.e., file transfers) in both direction. If I was limited to 4 kbps outbound, I would want my money back. Just one customer viewpoint :) Regards Marshall Eubanks
Re: How do you stop outgoing spam?
At 12:41 AM +0200 2002/09/10, Iljitsch van Beijnum wrote: Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per second ~= 4 kbps. You're forgetting keyboard macros. That might take you to 8Kbps, or perhaps a little more. ;-) -- Brad Knowles, [EMAIL PROTECTED] They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++): a C++(+++)$ UMBSHI$ P+++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+() DI+() D+(++) G+() e++ h--- r---(+++)* z(+++)
Re: How do you stop outgoing spam?
On Mon, 9 Sep 2002, Marshall Eubanks wrote: Ok, suppose someone can touch type. The world record is something like 600 key presses per minute, which is 10 41-byte TCP packets per second ~= 4 kbps. When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book to the local ethernet if at all possible (that's why I like Global Gossip) and use high bit rates (i.e., file transfers) in both direction. Would the uploads be HTTP? That's the only thing I'd want to limit to a few kbps. (Well, and outgoing SMTP to 0 kbps.) If I was limited to 4 kbps outbound, I would want my money back. Just one customer viewpoint :) Understandable. On the other hand, spammers using internet cafes isn't good either.
Re: How do you stop outgoing spam?
## On 2002-09-09 17:53 -0400 Marshall Eubanks typed: ME ME ME When I go to Internet cafe's (I like Global Gossip), I connect my Ti-book ME to the local ethernet if at all possible (that's why I like Global Gossip) and ME use high bit rates (i.e., file transfers) in both direction. ME ME If I was limited to 4 kbps outbound, I would want my money back. Are you doing your file transfers via HTTP or SMTP ? What about rate limiting TCP SYN packets ? I assume you're not doing more than say 1 file per second ? ME ME Just one customer viewpoint :) ME ME Regards ME Marshall Eubanks ME P.S. funny thing is I learnt the SYN rate limiting trick from Hank ... -- Rafi
Re: How do you stop outgoing spam?
Paul Vixie wrote: per-destination host AND port egress rate shaping. if someone tries to send more than 1Kbit/sec to all port 80's, or more than 1Kbit/sec to any single IP address, then you can safely RED their overage. this violates the whole peer-to-peer model but there's no help for that in the short term. if some internet cafe has a CuCme camera setup then you can find a way to let that traffic off-net without rate shaping. this will be the exception. Please be aware that this could have unintended consequences, and should be used in very constrained ways. In particular, there are any number of applications, including VPN applications that use port 80. I would recommend that only specified destinations get such treatment, if you apply it at all. Eliot
Re: How do you stop outgoing spam?
## On 2002-09-09 17:15 -0700 Eliot Lear typed: EL EL Paul Vixie wrote: EL per-destination host AND port egress rate shaping. if someone tries to send EL more than 1Kbit/sec to all port 80's, or more than 1Kbit/sec to any single EL IP address, then you can safely RED their overage. this violates the whole EL peer-to-peer model but there's no help for that in the short term. if some EL internet cafe has a CuCme camera setup then you can find a way to let that EL traffic off-net without rate shaping. this will be the exception. EL EL Please be aware that this could have unintended consequences, and should EL be used in very constrained ways. In particular, there are any number EL of applications, including VPN applications that use port 80. I would EL recommend that only specified destinations get such treatment, if you EL apply it at all. Hi Eliot Maybe I'm missing something obvious but do how you get rate-limiting per TCP *flow* with Cisco IOS ? -- Regards, Rafi
Re: How do you stop outgoing spam?
Rafi Sadowsky wrote: Maybe I'm missing something obvious but do how you get rate-limiting per TCP *flow* with Cisco IOS ? There is something called flow-based RED (FRED) but it consumes a whole lot of memory because you have to keep track of lots more state. I don't know about that code. At the least what you can do is use the rate-limit command and rate limit *all* outbound TCP/80 traffic (or for that matter all access-list captured traffic). Now, doing so will make any but the most trivial outbound TCP/80 absolutely painful, and will cause tail drop. See Cathy Wittbrodt's work in this space, which was presented at NANOG some time ago. Note, I'm not saying you should *do* this. It may be going a bit too far for anti-spam. Eliot
Re: How do you stop outgoing spam?
Don't have to do it with Cisco IOS. FreBSD works quite nice for this. If a Internce Cafe, then place it on the upstream side of the network, or right before it. On Tue, Sep 10, 2002 at 03:32:31AM +0300, Rafi Sadowsky wrote: ## On 2002-09-09 17:15 -0700 Eliot Lear typed: EL EL Paul Vixie wrote: EL per-destination host AND port egress rate shaping. if someone tries to send EL more than 1Kbit/sec to all port 80's, or more than 1Kbit/sec to any single EL IP address, then you can safely RED their overage. this violates the whole EL peer-to-peer model but there's no help for that in the short term. if some EL internet cafe has a CuCme camera setup then you can find a way to let that EL traffic off-net without rate shaping. this will be the exception. EL EL Please be aware that this could have unintended consequences, and should EL be used in very constrained ways. In particular, there are any number EL of applications, including VPN applications that use port 80. I would EL recommend that only specified destinations get such treatment, if you EL apply it at all. Hi Eliot Maybe I'm missing something obvious but do how you get rate-limiting per TCP *flow* with Cisco IOS ? -- Regards, Rafi