Re: IMC Update for February, 1998
Piet, At 12:03 pm +0100 10/2/98, Piet Beertema wrote:
I thought that those of you who attended the spam BoF last week might be interested to note the IMC survey of publicly-known relaying smtp servers.
The problem with this survey is that it is by no means exhaustive (500 mail hosts is in fact peanuts compared to the number of mail hosts globally), and probably for that reason doesn't mention the names of the hosts that allow relaying.
[If you remember, "naming-and-shaming" was thought to be unconstructive when discussed at the recent RIPE anti-SPAM BoF meeting. Is this what you mean? Personally, I think that this is a bit too agressive.] Perhaps a compromise is to compile a list of offenders and then contact the domain administrator for that host? (A standard canned message akin to the DNS "Lame server" one would do, I guess...?) We didn't actually discuss this at the meeting. My reading of the IMC report was that it was intended to show a "a large random sample" but I suppose that 500 is indeed small compared with 1) the number of MX records in the DNS and 2) the number of hosts accepting SMTP connections (larger). (For comparison, when I was analysing the COM domains last year to determine physical locations, I used 2 separate samples of 50,000 each - there were ~1,100,000 domains in the zone at the time.) Note though that the IMC report makes no further comment nor claim about the applicability of its results more generally than the 3000 domains known to the IMC itself (though its mailing lists), except for the implicit comment (I guess) that those subscribed to IMC lists should really know better ;-) It does, however, state that an update will be forthcoming.
A flaw in the test is that it used a valid domain name; using an invalid domain name (or a separate test using an invalid domain name) would probably have led to more refusals.
Hmmm. But most spammers use valid domains these days, dont they? Are there admisistrators who implement only the check_relay and not the check_from at the same time? My impression was that it is usually an all-or-nothing decision thugh I suppse check_from puts a much higher (DNS) load / delay on the relay?
Even so it is shocking that 55% of the set of mail hosts tested apparently allows unrestricted relaying.
Indeed. My guess is that this is a conservative figure but, as you say, 55% is still too much. However, as was discussed at the meeting, even reducing the number of relaying hosts might not significantly reduce the amount of spam - it only takes one and relaying hosts are being added daily... John
The problem with this survey is that it is by no means exhaustive (500 mail hosts is in fact peanuts compared to the number of mail hosts globally), and probably for that reason doesn't mention the names of the hosts that allow relaying. [If you remember, "naming-and-shaming" was thought to be unconstructive when discussed at the recent RIPE anti-SPAM BoF meeting. Is this what you mean? Personally, I think that this is a bit too agressive.] I happen do disagree: spamming has been going on for a long time now, so site administrators, and in particular people managing mail systems, should be fully aware of what spam does and what the risk op 'open relaying' is. Therefore administrators still providing 'open relays' are either simply ignoring all warnings or provide such 'open relays' explicitly. Given this, I think it's quite correct to expose the names of the offending sites. On the other hand it wouldn't be fair to expose only a small set of offending sites: a complete, worldwide list would be needed. But that's quite a job... Perhaps a compromise is to compile a list of offenders and then contact the domain administrator for that host? You must be kidding. My own experience has shown: a) Most of the administrators addressed don't even react. b) Messages to some administrators bounce, despite the fact that I used the address in the SOA record! My reading of the IMC report was that it was intended to show a "a large random sample" That's what I read too, until I saw the real number: but I suppose that 500 is indeed small compared with 1) the number of MX records in the DNS and 2) the number of hosts accepting SMTP connections (larger). Yes, 500 hosts is simply peanuts. Note though that the IMC report makes no further comment nor claim about the applicability of its results more generally than the 3000 domains known to the IMC itself (though its mailing lists) Agreed. A flaw in the test is that it used a valid domain name; using an invalid domain name (or a separate test using an invalid domain name) would probably have led to more refusals. Hmmm. But most spammers use valid domains these days, dont they? No. My own logging of refused messages shows that more than half of the refusals stem from non-existent domains. Are there admisistrators who implement only the check_relay and not the check_from at the same time? Quite possible. My impression was that it is usually an all-or-nothing decision though I suppse check_from puts a much higher (DNS) load / delay on the relay? It sure is a tradeoff between higher load/delay and more 'aggressive' refusals. Even so it is shocking that 55% of the set of mail hosts tested apparently allows unrestricted relaying. Indeed. My guess is that this is a conservative figure but, as you say, 55% is still too much. Given what I've said above, I would consider 10% already as way too high. However, as was discussed at the meeting, even reducing the number of relaying hosts might not significantly reduce the amount of spam - it only takes one and relaying hosts are being added daily... The latter is right of course, but I would expect the administrators of newly set up relaying hosts to be well aware of the risks and consequences of 'open relaying'. And I may be (too) optimistic, but I do believe that a significant reduction of the number of 'open relaying' hosts would deprive spammers of this particular resource and therefore *would* reduce spam. Piet
On Tue, Feb 10, 1998 at 01:37:23PM +0100, John Martin wrote:
At 12:03 pm +0100 10/2/98, Piet Beertema wrote:
I thought that those of you who attended the spam BoF last week might be interested to note the IMC survey of publicly-known relaying smtp servers.
The problem with this survey is that it is by no means exhaustive (500 mail hosts is in fact peanuts compared to the number of mail hosts globally), and probably for that reason doesn't mention the names of the hosts that allow relaying.
[If you remember, "naming-and-shaming" was thought to be unconstructive when discussed at the recent RIPE anti-SPAM BoF meeting. Is this what you mean? Personally, I think that this is a bit too agressive.]
What IMHO is completely overseen in this context is that there are not only a lot of open MX relays, but also *much* more open workstations, even in domains that have relay-closed MX mailers. And although this workstations may be "protected" by valid MX records, they still have open mailers which can be misused. (Take at random ONE big university, collect all A records within that domain and its subdomains, and test for relaying. I would predict an extremely high success rate.) While most system admins may get their MX mailers closed they will have problems doing this with the hundreds/thousands of workstations. And even if they do, those systems - from my experience - are often maintained by unqualified users and the next update they do will destroy the sysadmins former efforts. This will become a much more relevant topic in spam fighting than the open MX mailers are now. At least IMHO :-) \Maex -- SpaceNet GmbH | http://www.Space.Net/ | In a world whithout Research & Development | mailto:research@Space.Net | walls and fences, Frankfurter Ring 193a | Tel: +49 (89) 32356-0 | who needs D-80807 Muenchen | Fax: +49 (89) 32356-299 | Windows and Gates?
participants (3)
-
John Martin -
Markus Stumpf -
Piet Beertema