Spammers hapless fate = ISP toil and sweat
Luis Miguel Sequeira lms at esoterica.pt
Tue Sep 16 19:38:33 CEST 1997
Hello, I normally just lurk around this mailing list, but I think I'll contribute my two cents this time... Spamming is a serious problem. Here at Esoterica where I am, unsolicited email was about one half of total email traffic - which is quite a lot. Thus, our postmaster has dedicated all his available time to implement anti-spamming measures. What he found out is this: Firstly, far from being "mindless robots", the companies in the spamming business are cold-hearted professionals. They have teams of professional programmers spending all their time just to develop new and more effective ways of illegally sending out unsolicited email - using several clever relaying mechanisms. They work full-time on the job. They are a strong force which will easily overthrow any basic measures taken against spamming - like simply filtering up domains, or blocking traffic from relaying machines. Secondly, they are vindictive and protect their own jobs. This means that if an ISP tries to agressively implement anti-spamming mechanisms, they will fight back! And how they do this? For instance, they send out forged emails with these ISP's addresses. What happens? Entities receiving the forged emails will complain to the ISP in question. The ISP replies telling that the emails are forged, trying to make them understand that this is the "spammer's revenge". Most of these entities either don't care or don't believe, so they just shut the ISP off their firewall (especially if on the next day they get a new lot of unsolicited email apparently coming from the same forged addresses...). This forces the ISP to open up themselves to spamming from this particular company, hoping that they won't forge spamming attempts in the future... As you see, they're quite clever. Their businesses and jobs depend on their cleverness. How can ISP's successfully "fight back"? First, and foremost, they need to assume that the "threat" is serious. Secondly, allocate resources to the job - this means a *lot* of time. But thirdly, and I think that's the major issue here, by sticking together. While a single postmaster probably won't be able to do much work single-handedly, having a group to coordenate the work is helpful. Some free time taken from a group of postmasters adds quickly up to a "task force" of some magnitude... Basically, what our postmaster found out is that denying access is not a good measure - spamming companies will try every trick of the trade to get through or else they will try to hurt the blocking ISP in some way. UUNet, for instance, has publicly announced their "zero tolerance" towards spammers - it's no wonder that perhaps half of the spammers use now forged emails (and dial-up accounts) coming from UUNet to spam the net. Their hope is getting enough ISPs blocking UUNet's traffic so that UUNet is "forced" to "open" their machines to spamming again... (in our case, as a transit customer of UUNet I obviously can't block traffic through them :-) ) Better is just to difficult their action. Remember that their jobs depend on getting as many messages through as possible (using third-party relayers). If a sendmail configuration just lets a few messages through, or selectively blocks some domain for a while, this means that this machine will only deliver a few messages - when spammers rely on tens of thousands to be delivered. This is uninteresting to them. They will thus use other machines as relays. Of course, this also means that your own users will see a delay on the sending of their own, legitimate messages. It's a tradeoff. By using a combination of these tricks one can try to keep the spammers away for a while - until they develop a new creative method for spamming again. We have seen all sorts of very clever and ingenious methods to get through. Who knows what else they will invent next? By keeping a mailing list with several postmasters' contacts it's possible not only to exchange domains from where the spammers usually attack, but anti-spamming techniques and tricks. There are some steps being taken at a national base here in Portugal (from where I'm writing :-) ) but, as shown by the traffic generated on this list on this topic of spamming, I'm going to make the suggestion again, at this level... Do you think that there is some interest in mantaining a mailing list for all postmasters from the LRs for the sole purpose of discussing anti-spam techniques and listing spamming domains and relay machines? Would RIPE be interested in "sponsoring" this mailing list? BTW, searching through the RIPE's Web site, the only mention to spam is on RIPE-162, chapter C2.1. This basically states the commitment of RIPE to mantain the mailing lists spam-free. I wonder if there is already a "task force" in place for anti-spamming measures. We're aware of some efforts on an international basis - mostly some Web sites with interesting information and data on anti-spamming measures, with associated mailing lists - but to my personal knowledge, there is no such coordinated effort at RIPE (so far :-) ). There is also an issue of local laws. Filtering out spam *could* be illegal on some countries (it violates freedom of speech). In Portugal, spamming is actually illegal - it's "unsolicited email", and this is an abuse of a third party's infrastructure, ie. using computational (and telecommunications) resources that you aren't allowed to. This makes it a crime according to Portuguese law. There is a case of mail bombing (a particular kind of spamming...) brought to court - it will take ages to be ruled and probably the offender will get away with some community work :) but it will be judged in court. Of course, on other countries, freedom of speech may be more important than using others' telecommunications resources. I wonder if local laws will actually work *against* a RIPE-based global effort across Europe. On 12-Sep-97 "Scott A. Marlin" wrote: >Which basically means that any customer is free to spam. The ISP is >there to take the rap and clean up afterward. I think for such matters, >the "spammer" should be held responsable ... like being charged a flat >or hourly rate for the cleanup job. This is the case around here. Of course, catching the spammer and actually condemning him/her in court in order to charge him/her that rate is another story, especially if we're talking about an international incident. Better to prevent him/her to spam on the first place. >Incidently, in the cited case, I sent a mail to an address mentioned in >the ad asking them to stop sending the ads. What I got back was another >mail from another source (obviously from a blind mail-robot) with *lots* >of info about their services. > >At the bottom of the e-mail was an URL address for those who wished to >stop the ads from being sent. Waaaay down at the bottom of this web site >plugged full of promotional information was the opportunity to >"register" my name in the database of those who didn't want to receive >any more spam (the name of the link was a baby crying "mommy ... they >thpammed me again".) Really ! One of the major issues about spamming customers is knowing how many people were actually reached by a spamming effort. Spamming companies have found out that these two tricks - "send email here to be deleted from our database" and "click here to remove yourself from our database online" - are the best to know if you're reaching people. Also, many postmasters will contact the spamming company in order to complain. Based on all this feedback, spamming companies can determine a "success rate" for their spamming efforts. This keeps their own customers happy... A better way to deal with this is simply ignore the message, and make sure that all your users ignore the spam, too. In the long end, this means a lower "success rate" for a particular domain/spamming technique, so the spamming companies will probably try somewhere else. >The entire operation took about 30 minutes. I haven't heard from them >since. But I have recieved at least 10 unsollicited e-mails since then. My bet is, they will try again and again and again. The problem is, each time your address is found on a Usenet post, on a subscription web site or on a mailing list, there is a high probability of someone "selling" your email address to a spamming company. For instance, I'm receiving spam to addresses that have been disconnected 2 and 3 years ago... DejaNews and other public sites with lots and lots of addresses are a perfect place to get all those addresses for the spamming lists... - Luis Sequeira ____ \ Esoterica - Novas Tecnologias de Informacao, SA :-) Luis Miguel Sequeira /___, lms at esoterica.pt http://www.esoterica.pt/
[ lir-wg Archives ]