The well-behaved ISP's role in spamfight
As my wife urged me to clarify things :-) The role for an ISP in fighting abuse is to detect and prevent it's customer from sending malware & spam out of it's network. Not filter incoming stuff, that would be censoring. A number of means is available for an ISP, most provided that a customer has signed implicity or in some form a AUP where rules for use of it's services are stated. The very simplest thing to do is make sure any outbound smtp is relaye through the ISP's mailrelays, where spam could be detected and subsequently blocked. A large number of other measures exists, it's only a matter of priority. Relying on operating systems ( read MS) to solve spam is hopeless, just think of MS track record. And open source won't help either. Junking SMTP would mean that we loose a independent vendor-independent autonomous decentralized way of exchanging messages. It vwon't stop the bad guys, they can always find ways around it, but it will stop you and me from freedom to express ourself and exchange thoughts. Thanks for the opportunity to express my thoughts. -- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )
I wish it were that clear cut. You also have a role to protect your customers against threats, and to ensure that their mailbox is at least usable rather than deluged with spam. Being proactive about postmaster complaints and being sensitive to false positives in filtering is a useful middle path and a widely defined best practice. Never mind that quite a few large players don’t follow it. --srs On 13/02/17, 8:43 AM, "anti-abuse-wg on behalf of peter h" <anti-abuse-wg-bounces@ripe.net on behalf of peter@hk.ipsec.se> wrote: As my wife urged me to clarify things :-) The role for an ISP in fighting abuse is to detect and prevent it's customer from sending malware & spam out of it's network. Not filter incoming stuff, that would be censoring.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <201702131743.10508.peter@hk.ipsec.se>, peter h <peter@hk.ipsec.se> writes
The very simplest thing to do is make sure any outbound smtp is relaye through the ISP's mailrelays, where spam could be detected and subsequently blocked.
this is very unpopular with legitimate businesses who wish to be fully in control of their email sending destiny -- and ISPs generally do not wish to discourage the people who cause no trouble and pay their bills regularly and on time so although "port 25 blocking" is a M3AAWG Best Practice it has not been widely adopted with the main (but not only) exception being the large consumer ISPs in the US (ISPs in Europe have, for historical reasons, had a significant number of business customers mixed in with pure consumers and that has made the difference) - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBWKHoZDu8z1Kouez7EQKegACg5dQkRoa/iAJYEI4QDXu6AkDaL40AnRAO Ok9QS77z8Acf265vH5lDQf9W =eO/I -----END PGP SIGNATURE-----
On Monday 13 February 2017 18.09, Richard Clayton wrote:
In message <201702131743.10508.peter@hk.ipsec.se>, peter h <peter@hk.ipsec.se> writes
The very simplest thing to do is make sure any outbound smtp is relaye through the ISP's mailrelays, where spam could be detected and subsequently blocked.
this is very unpopular with legitimate businesses who wish to be fully in control of their email sending destiny -- and ISPs generally do not wish to discourage the people who cause no trouble and pay their bills regularly and on time
so although "port 25 blocking" is a M3AAWG Best Practice it has not been widely adopted with the main (but not only) exception being the large consumer ISPs in the US (ISPs in Europe have, for historical reasons, had a significant number of business customers mixed in with pure consumers and that has made the difference)
There is not any req that all customers always should be forced to use ISP relays, the default behaviour might be to use ISP relays, and to have DHCP given address. But for an extra service one could obtain a fixed address, and as extra service, use port 25. The main point is to have those "unaware" users, whos computers might be stolen, prevented. They won't notice, and they don't get harmed. Spam from a fixed ip or range is much easier to detact and correct then spam from any box that happens to get an DHCP lease. Flexibility and service is the keyword here. Also, to have a AUP that gives the ISP right to disconnect or block offenders is importent, and also that the customer has right to service. Any aggreement is twofold, both rights and obligations, like in society in general. I'm glad that spam is recignised as the problem it is and hope a renewed activity to claim back the bandwitdh and storage space the spammer has taken from us. Yours -- Peter Håkanson There's never money to do it right, but always money to do it again ... and again ... and again ... and again. ( Det är billigare att göra rätt. Det är dyrt att laga fel. )
On Mon, 13 Feb 2017 22:18:49 +0100 peter h <peter@hk.ipsec.se> wrote:
There is not any req that all customers always should be forced to use ISP relays, the default behaviour might be to use ISP relays, and to have DHCP given address. But for an extra service one could obtain a fixed address, and as extra service, use port 25. The main point is to have those "unaware" users, whos computers might be stolen, prevented. They won't notice, and they don't get harmed.
there used to be free (and reasonably well maintained) open lists of dynamic IPv4 ranges. Since everyone started selling (or renting) data, getting a free (and maintained) list of dynamic ranges, is difficult, if not impossible - anyone know of any such free list?
Spam from a fixed ip or range is much easier to detact and correct then spam from any box that happens to get an DHCP lease. Flexibility and service is the keyword here.
in a perfect world only email servers would be sending email. In our world someone's Android phone could also be an email server & client and some "ISP" loves using dynamic ranges as excuse for poorly maintained or non responsive abuse systems (or policy enforcement)
Also, to have a AUP that gives the ISP right to disconnect or block offenders is importent, and also that the customer has right to service. Any aggreement is twofold, both rights and obligations, like in society in general.
I'm glad that spam is recignised as the problem it is and hope a renewed activity to claim back the bandwitdh and storage space the spammer has taken from us.
Yours
Hi, Am 13.02.2017 um 22:18 schrieb peter h:
There is not any req that all customers always should be forced to use ISP relays, the default behaviour might be to use ISP relays, and to have DHCP given address. But for an extra service one could obtain a fixed address, and as extra service, use port 25. The main point is to have those "unaware" users, whos computers might be stolen, prevented. They won't notice, and they don't get harmed.
The best practice should be to (automatically?) block port 25 as soon as there are complaints about SPAM being sent from the according account. Maybe some good reputated blacklist providers could work together with ISPs to provide them real-time notifications for their IP allocations based on a kind of "push service". Then (as a provider) you have: A) Customers that can use any port unfiltered and are not complaining about blocked ports in your support department. B) If you receive notifications about SPAM being sent you have a good reason to block specific ports for this user (and, of course, send a notification to the customer). C) The customer is made aware that something inside his network is infected with malware which should get cleaned. The provider could offer help, fees apply. If I block port 25 outgoing by default, the user can sit there for ages in his home network while the malware is trying to send SPAM - but the customer won't notice. "Yes, of course, the computer is very slow, but..." As soon as the user moves his infected laptop to another network which don't have this blocking policy for whatever reason, the malware fires out its offers for medication to improve specific parts of the male body. And, besides of SPAM, there are also other services that are getting targeted by malware - for example SIP. You can set up a SIP server, reachable to the whole world on port 5060/UDP and you get a feeling that specific parts of the internet are trying to place phone calls to countries you wouldn't even find on a map ;-) THAT is more than a bit inconvenient - it's really harmful and costs real money (much money). But: Would you block port 5060 by default? And which other ports, too? And what about bruteforce attacks against websites? And why aren't ISPs blocking incoming packets to port 1900/UDP or port 5454/UDP by default, which are misused for DDoS attacks? I think blocking ports by default isn't the cure. It's just raising support volumes. IMHO the better way is to let customers learn from it (when they get instant notifications as soon as malware starts attacking others). Max
On Mon, Feb 13, 2017 at 05:43:09PM +0100, peter h wrote:
The role for an ISP in fighting abuse is to detect and prevent it's customer from sending malware & spam out of it's network. Not filter incoming stuff, that would be censoring.
And requiring to submit publications to a third party for approval prior to sending them is *not* censorship? rgds, Sascha Luck
participants (6)
-
Max Grobecker -
ox -
peter h -
Richard Clayton -
Sascha Luck [ml] -
Suresh Ramasubramanian