Re: Spammers hapless fate = ISP toil and sweat
Luis Miguel Sequeira <lms@esoterica.pt> writes:
I fail to understand from where these guys get Internet connectivity. It would violate almost any AUP I know of...
Unfortunately, some well-known ISPs, especially Psi.Net and UUNet, but several others also, continue to give these guys internet connectivity. Customers of these providers are starting to discover that they are losing mail connectivity, so let's hope the AUP-ignoring ISP's will lose in the (not too) long run. -- regards, Espen Vestre Telenor Nextel AS Norway
On 18 Sep 1997, Espen Vestre wrote:
Luis Miguel Sequeira <lms@esoterica.pt> writes:
I fail to understand from where these guys get Internet connectivity. It would violate almost any AUP I know of...
Unfortunately, some well-known ISPs, especially Psi.Net and UUNet, but several others also, continue to give these guys internet connectivity. Customers of these providers are starting to discover that they are losing mail connectivity, so let's hope the AUP-ignoring ISP's will lose in the (not too) long run.
If someone could suggest how to identify a spammer *before* they start sending out email, then I am sure every person who has to deal with the spam would be most gratefull, it will save them alot of time and money. When an ISP sells a connection to a company, they have no idea what the customer will use the connection for. Certainly, here at UUNET, our AUP is enforced. But if the spammer just buys another connection, how would we identify them? All the outside world will see is "another UUNET connected spammer", but to us, this is a separate customer. The other unfortunate thing is that the law enforcement agencies will not assist ISP's in tracking down spammers. If the culprit has a dial-up account and dials into a network, you can get all sorts of information on them. But even if the caller is stupid enough not to suppress caller ID (or make the call from a payphone), the phone companies will not release the address that matches the phone number. -- Keith Howell
On Thu 18 Sep, Keith C. Howell wrote:
On 18 Sep 1997, Espen Vestre wrote:
Luis Miguel Sequeira <lms@esoterica.pt> writes:
I fail to understand from where these guys get Internet connectivity. It would violate almost any AUP I know of...
Unfortunately, some well-known ISPs, especially Psi.Net and UUNet, but several others also, continue to give these guys internet connectivity. Customers of these providers are starting to discover that they are losing mail connectivity, so let's hope the AUP-ignoring ISP's will lose in the (not too) long run.
If someone could suggest how to identify a spammer *before* they start sending out email, then I am sure every person who has to deal with the spam would be most gratefull, it will save them alot of time and money.
When an ISP sells a connection to a company, they have no idea what the customer will use the connection for. Certainly, here at UUNET, our AUP is enforced. But if the spammer just buys another connection, how would we identify them? All the outside world will see is "another UUNET connected spammer", but to us, this is a separate customer.
One soluton that I aiming for (not implemented yet!) is tying our SMTP server into our database. When a customer connects, we look them up in teh db based upon the MAIL FROM:<> value. from the db is returned a max limit of RCPTs that the user may issue for a single mail. New accounts can be given a value of 15 and incremented automatically by say 10 each month as our trust of them develops. If people want to run mailing lists etc.. then they can phone/email us and we can manually up the limit, after making appropriate checks first. Biggest problem in this is ensureing people have legal MAIL FROMs Regards, aid -- Adrian J Bool | mailto:aid@u-net.net Network Operations | http://www.noc.u-net.net/ U-NET Ltd | tel://44.1925.484461/
On Thu, 18 Sep 1997 16:48:45 +0100 (BST) Adrian Bool <aid@u-net.net> wrote:
One soluton that I aiming for (not implemented yet!) is tying our SMTP server into our database. When a customer connects, we look them up in teh db based upon the MAIL FROM:<> value. from the db is returned a max limit of RCPTs that the user may issue for a single mail. New accounts can be given a value of 15 and incremented automatically by say 10 each month as our trust of them develops. If people want to run mailing lists etc.. then they can phone/email us and we can manually up the limit, after making appropriate checks first.
We do this with qmail. -- Neil J. McRae - Alive and Kicking. C O L T I N T E R N E T neil@COLT.NET Ascend GRF: 100% CpF [Cisco protection Factor] Free the daemon in your <A HREF="http://www.NetBSD.ORG/">computer!</A>
Date sent: Thu, 18 Sep 1997 10:28:43 -0400 (EDT) From: "Keith C. Howell" <kch@uu.net>
If someone could suggest how to identify a spammer *before* they start sending out email, then I am sure every person who has to deal with the spam would be most gratefull, it will save them alot of time and money.
Dialups should be forced to use their ISP's smtp relay. There should be implemented enough checks, like ensuring valid mail froms and starting off all sorts of bells when recipient count gets too high. These two alone would reduce spam alot. If one adds forged header checks and sender ident, he'd be perfect. Mailinglists distribution might be also enforced to controlled arrangement. Although these measures might be unwelcome by some customers, most legitimate users can live with it. Just thought. ---------------------------------------------------------------------- Andres Kroonmaa mail: andre@online.ee Network Manager Organization: MicroLink Online Tel: 6308 909 Tallinn, Sakala 19 Pho: +372 6308 909 Estonia, EE0001 http://www.online.ee Fax: +372 6308 901 ----------------------------------------------------------------------
Hello, On 18-Sep-97 "Keith C. Howell" wrote:
If someone could suggest how to identify a spammer *before* they start sending out email, then I am sure every person who has to deal with the spam would be most gratefull, it will save them alot of time and money.
When an ISP sells a connection to a company, they have no idea what the customer will use the connection for. Certainly, here at UUNET, our AUP is enforced. But if the spammer just buys another connection, how would we identify them? All the outside world will see is "another UUNET connected spammer", but to us, this is a separate customer.
I think this is exactly the same problem with requests for domain names which are never payed and will never be, whose whole purpose of existence is giving an email message a "real existence" for a while for the purposes of getting feedback. If the InterNIC were able to know *beforehand* that these addresses would be used for spamming, they probably wouldn't ever consider registering the requested domains. So, knowing who is a spammer *beforehand* is unpractical and almost impossible. However, here is an idea for you: limit the number of email messages per user that may be able to be sent at a time; limit the number of email messages with the same subject that may come from the same address; and finally, restrict the number of cc:'s or bcc:'s per message (for legitimate users, offer them to set up their own, private mailing list - this will impress your customers with superb customer service :) and the time taken to set something up with majordomo would be neglegible when compared with the wasteful bandwidth). Remember that spammers generate the same message for multiple users during a very short time period (or have messages with multiple cc:'s) and will, for the duration of a session, be mostly flooding port 25 with several messages. This kind of usage pattern should be easily detected by a few scripts (just by looking at the mail logs...) and you could temporarily block port 25 for that user's particular IP address for a while... This will mean that - a) legitimate users, who just send a few messages at every time of the day, would not notice any difference; b) private mailing lists (ie. people in dire need to contact a large, legitimate base of users on a regular basis) would be implemented using the correct way, ie. a majordomo/listserv/whatever solution (bcc's just waste CPU power) c) spammers, while still being able to spam, would give up as your mail server would be "too slow" to process tens of thousands of messages, forcing them to drop you as a provider and try elsewhere (additional accounts would be useless for the same reasons). Of course, in an ideal world, every ISP would implement exactly the same anti-spamming measures and spam would be controlled in a matter of days :-) But look what it means if a LARGE group os ISPs (say, all of those in Europe) implement similar measures. You could actually claim, as a block, that spamming will not be tolerated on a large geographical region (or for large group of users). This means that spamming companies will be unable to offer their customers service into those areas. That's why it's so important to implement a common set of rules and standard practices (an Internet draft, a RFC, something like that) against spamming: if you're actually blocking a large percentage of the Internet from spamming attacks, the spamming companies will lose customers. And will go broke. After a while, you can invert the tendency: ISPs *permitting* spamming (ie. those not actively implementing anti-spamming techniques) will be avoided by potential customers. The active implementation of anti-spamming techniques would become a commercial advantage...
The other unfortunate thing is that the law enforcement agencies will not assist ISP's in tracking down spammers. If the culprit has a dial-up account and dials into a network, you can get all sorts of information on them. But even if the caller is stupid enough not to suppress caller ID (or make the call from a payphone), the phone companies will not release the address that matches the phone number.
Around here you can easily get the address based on the phone number unless it's confidential, but I think that the issue here is implementing anti- -spamming techniques (ie. making the spammers' life so hard that they will give up your ISP and find another one) that will keep them away. Mind you, I live in a country where issues at court take AGES (several years) to solve, so the only legal considerations we usually have is if the measures we're taking against spammers (or any other kind of abuse) are legal, ie. making sure that *they* wouldn't sue *us* for anything. Once that issue is clear, the only think we need to think about is how we are going to stop them from pestering us. The police is always quite helpful and exchanges some emails about the issue, but we perfectly know that the *courts* will take too long to react to a spamming attack (I shudder from the thought of actually defining "spam" on court in front of a judge...). So I really think that it's more important to prevent spamming than take any legal action against spammers. Even in countries with a good and fast legal system you have the problem of international law - which will take ages even if both countries have excellent legal systems. :-( Again, this view comes mainly from having to live under an ugly, painfully slow legal system (which has some very nice laws if you just could find someone to enforce them in useful time...). As a conclusion: if I can't know who is a spammer *before* the act, and if I can't convict him of that crime at once, the only solution left to me is *preventing* him to commit this crime. I hope that at least the simple techniques described before will help you out with the spammers... - Luis ____ \ Esoterica - Novas Tecnologias de Informacao, SA :-) Luis Miguel Sequeira /___, lms@esoterica.pt http://www.esoterica.pt/
I think we all agree that the technical efforts that each of us has endured for the last few months trying to get ahead of spammers' tricks have produced some results...until they get some new trick (like the unallocated IP-BGP one from Nick. I hope AGIS is not on this list :(... At 10:28 18-09-1997 -0400, Keith C. Howell wrote:
On 18 Sep 1997, Espen Vestre wrote: [...] The other unfortunate thing is that the law enforcement agencies will not assist ISP's in tracking down spammers. If the culprit has a dial-up account and dials into a network, you can get all sorts of information on them. But even if the caller is stupid enough not to suppress caller ID (or make the call from a payphone), the phone companies will not release the address that matches the phone number. ...unless there is a judge's order to do so (at least that's how it works here). And one can reject incoming calls that don't have Caller-ID, ISDN Calling Party ID, etc. (but then they will start by attacking the PTT telephone switch :(
We all agree that results from going after each spam individually, each isp on it's own, is not pratical: - it has high technical labour costs, - it has high legal costs; - it has VERY limited effect on the problem as a whole, because there are way too many clueless companies willing to pay 200USD to send a mass mailing. However we tend to address this problem only from a technical perspective (probably because this where we feel we can do something about spam)... and laws and lawyers are generally "tabu". However, if we agree that: - most spams are originating in the US; - the justice system seems to work there; - spams are eventually payed by businesses (that buy "spamming services" from spam operations); - the US has explicit laws agains spam, aka "unsolicited bulk email" ( US Code Title 47, Sec.227(a)(2)(B) - is supposed to define a $500USD compensation for EACH e-mail message spooled; - the US has the largest concentration of lawyers and law-firms eager to get a few million USD more; - that businesses are not especially fond of getting a huge suit asking for compensation, especially if the suitor is represented by one big-shot law-firm. What about organizing something along this lines? - pick up a case where most of us have been hit by spams for the same company products where at least 10.000 instances of the same message can be individually identified in our combined spool/mails. Collect a copy of each message, with headers and organize them as proof. - select one of the large law firms in the US, and file a suit for 10.000 x $500 USD = 5 mill, USD against that company. They would have the "carrot" of getting x% of the compensation actually paid. If some minimum fee is needed it would be supported by us/RIPE. (x can be as high as 99% if we feel comfortable with it) - have them win the case; - make a lot of publicity directly and get a lot of it indirectly. Ideally: - RIPE could organize this, and we would all delegate to RIPE all the compensations for the action (that RIPE would continue to use in the benefit of Europe's part of the Internet:) - the target company(ies) should be big enough to be able to pay the 5 mill USD only marginally without going bankrupt, should be listed on one of the stock exchanges, so that a suit against it would have to be published by the company itself under stock exchange laws. If we're lucky, their stock prices will fall sharply, getting attention also from the "Business Press", etc. Possibly a series of several suit's against a few such companhies would be needed to get enough publicity (but if one wins the first the next will be easier). What I would hope for, is that the attention raised on the media on the VERY NEGATIVE business results of "cheap massive Internet mailings" (as "spam" is known in the business world), would refrain anyone but the clueless to resort to spamming. Even, if it doesn't completely stop all of them, it will make the number of companies buyng spamming services smaller because of the legal action risk, and that would make spam prices higher (or make spam operators unable to pay smart people to develop tricks to work around our spam-blocks) and create a positive feedback cycle here that would eventually put spam back into the small dimension it was a few years back. I guess this is a bit maquievelic, and I might be a bit too much willing to use legal tricks against them, but as a RIPE member I would clearly support an action from RIPE to get some "legal counsel" to check what the odds are of winning such a case are... On the technical side, however, I propose that all of us stop our clients ability to use other people's mail relays, by blocking SMTP access to all but the ISP's own relays. This seems pretty easy to implement on most dialup/permanent connections these days. This brings me back to Keith:
If someone could suggest how to identify a spammer *before* they start sending out email, then I am sure every person who has to deal with the spam would be most gratefull, it will save them alot of time and money.
When an ISP sells a connection to a company, they have no idea what the customer will use the connection for. Certainly, here at UUNET, our AUP is enforced. But if the spammer just buys another connection, how would we identify them? All the outside world will see is "another UUNET connected spammer", but to us, this is a separate customer. ...this "UUNET connected spammer" would probably be very easily detected by UUNET itself, if he would only be able to use UUNET's email relays, wouldn't he?
just my .02 Euro kind regards, --- pedro ramalho carlos Pedro.Carlos@co.ip.pt IP SA tel: +351-1-3166724 Av. Duque de Avila, 23 fax: +351-1-3166701 1000 LISBOA - PORTUGAL PGP Key fingerprint = B7 45 B2 F9 F3 1F 67 19 1F 24 76 67 8D F6 2C B2
participants (7)
-
Adrian Bool -
Andres Kroonmaa -
Espen Vestre -
Keith C. Howell -
Luis Miguel Sequeira -
Neil J. McRae -
Pedro Ramalho Carlos