Re: increase in spam and what to do about it

Bill Gunshannon wrote:
Which is the same set of "potential customers" - I'm just testing the
RBL at a different place.

But, if you just change RBL's you open yourself up to all the places the
other RBL had that the new one doesn't and your back where you started.

You still don't understand. An MTA typically checks for an MX record
to determine which host to send mail to. Rather than accept and drop
an SMTP connection based on the IP address being in a RBL, it would
save some traffic to not send respond to the DNS lookup if the
requesters IP address is on an RBL. It's the same RBL, just testing
the IP address at a different point of the SMTP process.

SPF is one of the social ways (setting up a trust relationship), but
spammers are getting around that, too.

Not sure what SPF is, but I can assure you there is no way for spammers
to get around my method.

Sender Policy Framework? It's a mechanism developed several years ago
in order to help validate the IP address of a senders domain. Again,
since setting it up is a social contract (not required to use or
publish), the success of it is hit-and-miss.

And I guess I'm still not sure exactly how your method is to actually
work, and how all these agreements are executed and enforced.

Then the social solution (valid or not) is socially unaccepted.

My social solution has not yet been tried, so we don't know that it
is socially unaccepted.

I would at least venture that it hasn't been accepted yet, then?

Unless you charge per e-mail, there's nothing removing the conduit or
preventing its abuse. But then you penalize good people just for the
sake of banning the bad people.

Metered service has been looked at and it is unacceptable. Plus, it
doesn't stop spam but is very likely to make the innocent pay for it.

Agreed, even AOL has had lots of complains about it's plans to
implement something like this. How do you punish the abusers without
inflicting punishment or worse on the vast majority of people who don't
abuse it?

How do you stop it at the source? Which is the spammer, himself?

True. You stop it by not giving the spammer a venue from which to send
his spam. The sysadmins all agree (by contract) to not allow spam to be
sent from their systems. Penalty: ostracism. The sysadmins of the local
mailsystems have AUP's that carry penalties (which depend on the type of
organization, ie. ISP - include hefty fines in your customer contract,
business - employee can be fired, school - expulsion or other academic
sanctions, etc.) Thus, the spammer has no place where he is welcome on
the new email network.

Back in the mid '90's, such things were done. Erols and other networks
had fines and such for spammers. It didn't work. This again referrers
to the "whack-a-mole" game of spammer termination. Also, often the
spammers would sign up with accounts using credit cards of the clients,
or even stolen credit cards. So you end up not billing or punishing
the spammer, anyway. You kill one spammer account, and they have 10
more waiting to abuse when needed.

Of course, now much spam is from zombied Windows boxes. The spam can't
be traced back past the zombied PC. So, do you fine and terminate the
account of the person with the infected PC? That's going to sit well
with customers. What about the Wingate proxy exploitation of several
years ago? The proxy would allow SOCK4-like remote access, making the
Wingate proxy appear to be the source, but no way to determine who
initiated the connection. And the wide variety of formmail.pl web form
abuse that occured (and actually, I STILL had several dozen attempts by
some spammer to test my form mail web script on the Hobby Site:
dinotto2@xxxxxxx and topcopl2@xxxxxxx are their test accounts - may the
harvesters get them)? And there are still open SOCK4 proxies, open
SMTP relays, and any number of other methods people are spamming
without using mail servers they are authorized to use.

They are already not using email networks where they are not welcome,
so why does your solution work?

Also, how do you require uniform AUP's across ISP of various countries?

Read what I said up above. The customers of the ISP all sign a contract
(I know I had to!) You put serious penalties in the contract.

Yes, but they really have no teeth, the spammers are often using
fraudulent information, or on ISP which don't have strong AUP, or the
spammers are using network which they are not authorized.

You are assuming the spammers are Law Abiding Honest Citizens. That
may be true of Usenet back in the day, not anymore.

Years ago panix, epoch,
and many other ISP's played constant whack-a-mole against spammers
creating accounts on their networks.

But they have never instituted serious (and enforced) penalties against
the people who violate their AUP.

Sure they did. It just didn't stop the spammers. Because they don't
care.

So, how do you get everyone that wants to send email to sign an AUP,

You don't need everyone, only those who want to return email to the
useful form it had 20 years ago.

But how does that help when there are those that don't?

After all, who would the enforcing body
be?

If the users sign a contract, that would be the courts. :-) Especially
if the contract includes serious financial penalties.

What if you get hit with a fine because your PC got trojaned? Are you
going to quietly pay the fine, or are you fight it because you weren't
the one sending the spam.

We have ISP's and providers with AUP's today.

Name one ISP that has an AUP that includes a serious fine for spamming!

Been there, done that, didn't work. You end up punishing the wrong
people, like in the case above.

Usenet news isn't good example, since it's been rampant with spam even
before e-mail (remember the Brierbart Index and Cancelmoose? Canter
and Seigel?).

I didn't mean it as an example of a system that works perfectly, I meant
it as an example of a system that only works between "trusted hosts".
Try setting up a news server on your own. It won't go very far until you
find at least one other News site willing to exchange with you. There is
really nothing to stop these "trusted hosts" from having stricter AUP's
so that none of the above existed. As a matter of fact, I believe that
was the intent of USENET-II (I haven't looked lately to see how this has
worked out.)

Yes, but peering news isn't that difficult. I used to when I was on
Sprint as an ISP. My current provider doesn't carry a feed, but there
are places that I can get a feed if I need it. Even still, spam is
still a big problem on Usenet, even today.

True, but those ISP's can be (and likely are) RBL'd against.

If they were, I wouldn't be getting the spam. :-)

Then either you are using the wrong RBL's, or you are not RBL-ing the
entire offending ISP's address space.

Sometimes it's not the money, but the expense. Chasing and terminating
spammers takes time and effort. Then they just get a new account or
you end up with a new batch. Eventually, it just cost less to ignore
it.

Unless you made them sign a contract in the first place that had severe
financial penalties.

But that didn't work. Unless you require ALL ISP's to do that, and
again that's a "social contract" you're not going to get all ISP"s to
adhere to. However, you can RBL their address space until they do. Or
whitelist (which helps but doesn't elimitate the issue due to
Job-jobbing).

But how do you reject it at the source? You get a customer to sign an
AUP? As I mentioned, we've already gone through that whack-a-mole
tactic of dealing with spammers years ago.

But the AUP's they signed in most cases included no penalty beyond
loosing your account. They need to carry serious financial penalties
as money is all anyone understand today.

You seem to honestly think that will work, since you continue to come
back to that. It doesn't work because you are either not punshing the
actual spammer, or the spammer just moves somewhere else or hides their
activities via other tactics.

Exaclty - if a spammer spams through your mail server, and it gets
blocks (i.e. you socially disagree to accept their email traffic), all
your customers are punished. Not good for your business. You can't
stay in business when you treat all your customers like crooks.

Under my system, one would assume that the peers would not need to be
so draconian as to cut someone off on the first incident. Of course,
it would likely depend on how the originating site handled the incident.
If they had in their AUP (agreed to as a contract so that the courts are
an arbiter) something along the lines of a $1000 fine for each incident
of SPAM sent by the customer and they enforced it, it wouldbe very
un-profitable to end spam and there would be little if any chance of
not getting caught. Thus removing the greatest incentive to spamming.

Okay, your zombied PC is invovled in a spam run. Are you going to pay
the $1,000 fine? A 0-day exploit is found in your system, and
overnight you send out 1,000,000 spams. You get the bill. Do you pay
it?

No, it has to be. There is just too much damage via phishing, identify
theft, DDoS, and more to allow hundreds of thousands of Billy boxes on
the network. The cost is too high, and currently Microsoft does not
have the pressure to to substantially fix it, despite the financial
loss caused by zombied machines. Either they need to be hardened or
more isolated. Maybe Microsoft can't do it, but eventually some
government or business is going to take a huge loss (probably a
lawsuit) due to damage caused by one or more Windows boxes.

Sorry, but I don't believe this will happen until MS runs it's course
and is supplanted by something better.

I can only hope. Maybe Linux, since there seems to be much more
security and less abuse of Linux systems out there. I've only had two
times ever where a Linux box on my network has been exploited (and even
then, the exposure was limited) - one by a XML PHP script one a friends
web server (which the fix are readily available) and a SSL V2 flaw many
years ago.

Like I said, perhaps when companies and people start dropping MS after
that potential huge Multi-Mil-$ class-action lawsuit, we'll see some
REALLY serious action from MS on "Trusted Computing".

Eventually, someone is going to get an identity theft class-action
lawsuit against a company, and will win because they can demonstrate
that the data on their Windows boxes was exploited because they either
didn't update their virus definitions enough, or missed a service pack.

But you just gave the best defense. The user "didn't update their virus
definitions enough, or missed a service pack" and thus, it was their own
fault.

You don't see it, do you? The COMPANY missed a service pack/virus
update. The USERS data was on the COMPANY's computer. Jury will
probably award large damages. Company will review putting critical
data on MS software, as will others.

And frankly, I was around in the old Usenet days, too, but I never
signed an AUP to prevent me from spamming or any such thing.

What's your point? Back in those days there were machines on the DARPANET
that didn't even have passwords. Society in general was different and
among the computer community in particular. Draconian AUP's weren't
needed. Of course, people also used to leave their cars and even their
houses unlocked, too. I can't hink of many who still do.

Exactly. Pandora's box has been openned. Things that worked in the
good old days just don't apply anymore and/or don't scale well. After
all, that's why DNS was born, since even in the early DARPA days,
propogating a /etc/hosts wasn't feasible anymore.

Email was
just a poor medium to spam, so it wasn't used that way. Your
"original Usenet days" weren't socially or technically better than
before, just not viewed as a target of abuse.

I disagree. I think they were better socially. The lack of Spam was
probably more due to the limited social coverage nature of the medium.

Society has scammers, cons, thieves, and more. D/ARPANET wasn't a
target since there wasn't enough volume to be worth it. Now instead of
thousands of people, it's millions of people. Not just research
scientists and Computer Science students. It's kids, grandma's,
executives, homeless - and the best and worst of all of them.

Usenet News was where
the spamming problem started due to it's more "broadcast" nature.
E-mail didn't become prevelent until the middle 1990's once the
Internet started to gain mindshare and more people had e-mail
(Compuserve, Prodigy, AOL).

There were lots of different Email systems in the past, USENET, FIDO,
Bitnet, etc. And then there were the commercial services like you
mention, although Prodigy and AOL were latecommers. there was TELENET
and TYMNET. But what was lacking technically was the computing resources
and the conduit to handle the volume needed for spamming.

Not just the volume, but the target-rich environment. How many people
used to have e-mail 20 years ago? FAXes where the big thing back then.
But they had a "spamming" problem of their own, didn't they?
Something the Telecommunication Protection Act of 1991 had to help
solve. Well, it didn't so much, since the FCC had many forfeitures
even as lately as a few of years ago with fax.com and American Blast
Fax.

Same scum, just adapting to newer technology.

Your sysadmin choice of social "trusts" have been implmented by public
and private RBL lists, spamassasin, Bayesian and other filtering
methods, but most can't just whitelist the rest of the world, either,
since many people NEED to be contacted by previously unknown places
(i.e. me). And until you get that first spam (or subscribe to an RBL
or other service to look at it for you), you really can't tell if it's
spam yet.

As I said, RBL's is not a trusted host relationship it is trying to
put the responsibility on a third party and after the fact. That is
a system destined to fail. It must be stopped at the point of origin
and before the fact. It must be proactive and not reactive in order
to work. If it is reactive, there are just too many potential spammers
to deal with.

Sure it's a trust relationship. You trust the RBL to help you validate
the sender is not a likely spammer. Much like 3-rd party
authentication is commonly done with SSL/TLS.

But as I've mentioned, you can't stop the "point of origin" due to much
of the fraud and unauthorized use of zombied PC's, open proxies, and
various software exploits curerntly in use. Since often, the Received
header you track either is fradulent, or only gets you back to the
exploited system - not back the the actual spammer in control.

The problem is oh-so-much bigger than just getting Ma Kettle to sign an
AUP saying she won't spam. She won't, but that doesn't mean her PC
won't be an unwitting accomplice to the act.

But as the whack-a-moles at ISP's worked (socially terminating their
connectivity for AUP violations),

More agressive penalties are needed in the AUP!!

But you can't require that, nor can you be assured that the penalties
actually punish the spammer in control.

spammers just used different tricks,
like third party SMTP relays,

You don't relay. Oh, and did I mention that my proposal doesn't use
SMTP. :-)

No, you didn't mention that. So how do you get the whole world to
switch to your protocol, and why is it unable to be exploited any
differently than SMTP has?

exploitation of WinGate firewalls,

Not sure what that means, but I'll bet it relies on SMTP to send the
mail from the attacked machine. See above.

exploitation of formmail.pl scripts

Well, I won't even go into the potential security problems with any
PERL or PHP scripts, but I can tell you that I was able to win the
battle here to not allow the mail function on our web server.

(which I have a spammer attempting
to do that off the Hobbyist web form for the past few days -
topcopl2@xxxxxxx), abuse of SOCKS4 proxies, and the growing tide of
bot-nets.

I'll bet all of these depend on SMTP as the underlying protocol and they
also don't care who connects.

And forget just e-mail, IM spamming and web forum/blog
spamming is on the increase, too.

They were never truly useful anyway, so I really don't care. I am trying
to salvage Email, let someone who cares fix the others.

The problem is whatever the social
contracts are, the spammers will violate them and bypass them, as they
have for years. Spammers have been fined, sued, terminated, blocked,
and more (which is about as strong of a social solution statement you
can make), yet they still persist.

Sorry, I have never heard of any spammer who has been held financially
liable for his actions. Please provide some real examples.

Read the news. An owner of a bot-net recently got some jail time.
Even back in the mid-90's Sanford Wallce lost a lawsuit to AOL for
spamming. Several states (Washington State for one) have also
prosocuted and won, too. You honestly haven't heard about any of
these? Just read Slashdot or The Register on occasion. Or read some
archives of news.admin.net-abuse.email.

There is no one solution. There may not be a solution. But you also
can't turn back the clock to the good ole days, either. Profiteers
will try anything they can to exploit the system for a measly buck.

Or we can just sit here and let the bastards win. Sorry, I would rather
try to convince people in a position to do something that the time is
ripe for fixing things.

So, appearently you don't use SMTP, and you have to sign an agreement
with someone somewhere. Well, I guess it's a start, but how many
people do you have buy in on this so far? And exactly how does my
email get from my server to your server when whatever paper work you
require is done? And how is it not subject to abuse?

Part of the problem of your solution is that it requires cooperation
from a rather large number of ISP's and admins, several software
developers, deployment across hundreds of thousands of servers. And
that's going to take some big doing and demonstration that what you
propose WILL work. So I think I might need to hear a little more than
"Oh, and did I mention that my proposal doesn't use SMTP. :-)".

.